STREAM CIPHERS AND NUMBER THEORY
NorthHolland Mathematical Library Board of Honorary Editors: M. Artin, H. Bass, J. ...
145 downloads
995 Views
6MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
STREAM CIPHERS AND NUMBER THEORY
NorthHolland Mathematical Library Board of Honorary Editors: M. Artin, H. Bass, J. Eells, W. Feit, P.J. Freyd, F.W. Gehring, H. Halberstam, L.V. Hormander, J.H.B. Kernperman, W.A.J. Luxemburg, F.P. Peterson, I.M. Singer and A.C. Zaanen
Board of Advisory Editors: A. Bjomer, R.H. Dijkgraaf, A. Dimca, A.S. Dow, J.J. Duistermaat, E. Looijenga, J.P. May, I. Moerdijk, S.M. Mori, J.P. Palis, A. Schrijver, J. Sjostrand, J.H.M. Steenbrink, F. Takens and J. van Mill
VOLUME 55
ELSEVIER Amsterdam  Lausanne  New York  Oxford  Shannon  Singapore  Tokyo
Stream Ciphers and Number Theory
Thomas W. CUSICK Srure Utii~~>tsity of New York at Bujjulo
Cunsheng DING The Nationul University of Singapor.e
Ari RENVALL Univer.sity oj'Turku
1998 ELSEVIER Amsterdam

Lausanne  New York  Oxford  Shannon  Singapore  Tokyo
ELSEVIER SCIENCE B.V. Sara Burgerhartstraat 25 P.O. Box 21 1, 1000 AE Amsterdam, The Netherlands
Cuslck. Tho.as Id.. 1943Sfre.. c l o h e r s and number theory 1 Thomar W . U l r t r k . Cunrhmg Dlng. L r l f u n r l l l . p. E.. _ 1, Euler's function r is defined to be the number of integers a such that gcd(a, n)  1, where 1 _ a < n. This function has the following properties" 1. If p is a prime, then r 2. For any prime p, r
 p_
1.
pk1 (p_ 1).
3. If m, n _ 1 and gcd(m, n)  1, then r
 r162
multiplicative function. 4. For any integer n 
1Ipp k, r
43
Ylppkl(p  1).
that is, r is a
Chapter 3. Primes, Primitive Roots and Sequences
44
Proofs of these properties are easy and can be found in most books about number theory. Cyclotomic polynomials have close relations with coding theory [224]. It will be seen in the following sections that the linear complexity and period of sequences as well as their stability are also closely related to cyclotomic polynomials. So we summarize now some known results which are needed in later sections. Let K be a field of characteristic p, n a positive integer not divisible by p, and ~ an nth primitive root of unity over K. Then the polynomial n
s1,gcd(s,n)=l
is called the nth cyclotomic polynomial over K. References about cyclotomic polynomials can be found, for example, in [222, p.64].
Proposition 3.1.1 Basic Facts [222]: 1. Qn(x) is independent of the choice of ~. 2. deg(Qn(x)) = r
3. The coefficients of Qn(x) belong to the prime subfield of K . 4. x ~  1  lIdl~ Qd(x). distinct 5. I] K = GF(q) with gcd(q, n) = 1, then Qn factors into r monic irreducible polynomials in K[x] of the same degree d, where d is the least positive integer such that qd  1 (mod n), i.e., d is the order (or exponent) of q modulo n, denoted as ord(q) modulo n or ordn(q). With the help of Propositions 3.2.1 and 3.1.1, it is not difficult to arrive at the following result, which will play an important role in designing some keystream sequences.
Proposition 3.1.2 Assume that gcd(n, q)  1. Then Qn is irreducible over GF(q) if and only if n  r k, 2r k or 4, where r is an odd prime and k > O, and q is a primitive root modulo n. 3.2
Two
Basic
Problems
from
Stream
Ciphers
For sequences of period N over the field GF(q), their linear and sphere complexity are closely related with the factorization of cyclotomic polynomials Qn (x) over GF(q) for all factors n of N. Proposition 3.1.1 says that Qn (x) factors into r distinct monic irreducible polynomials in GF(q) of the same
3.2. Two Basic Problems from Stream Ciphers
45
degree d, where d is the least positive integer such that qd _ 1 (mod n). It follows that, to design sequences with both large linear and sphere complexity, we should find pairs (N, q) such that 1. N has as few factors as possible; and 2. for each factor n of N, d = ordn(q) should be as large as possible. This leads to the following two basic problems in designing cryptographic sequences for certain applications. B a s i c P r o b l e m 1 Find large positive integers N and small positive integers q which are powers of primes such that 1. g c d ( N , q ) = 1; 2. o r d n ( q ) = r
for any factor n ~ 1 of N .
B a s i c P r o b l e m 2 Find large positive integers N and small positive integers q, q a power of a prime, such that 1. g c d ( N , q ) = 1;
2. N has few factors; 3. ordn(q), a factor of r N.
is as large as possible for any factor n # 1 of
An integer q is said to be a primitive root of (or modulo) n if ordn(q) = r If g  g' (mod N ) , then g is a primitive root of N if and only if g' is a primitive root of N. So for our cryptographic purposes, we discuss here and hereafter primitive roots modulo N only in the range between 2 and N  1. To study the two problems further, we need the following important result of Gauss whose proof can be found in most books about number theory. P r o p o s i t i o n 3.2.1 If p is a prime, then there exist r 1) primitive roots of p. The only integers having primitive roots are pC, 2pC, 1, 2 and 4, with p being an odd prime. This proposition shows that Basic Problem 1 has a solution if and only if N = r k, or 2r k, with r being an odd prime. We shall investigate this basic problem in detail in Sections 3.4 and 3.5. Before dealing with Basic Problem 2, we present some basic results about the order of integers modulo n. If gcd(a, n) = 1, Euler's theorem states that
46
Chapter 3. Primes, Primitive Roots and Sequences
ar  1 (mod n). This implies that ordn(a) divides r The order of a has a close relation to the Carmichael ]unction A(n), which is defined by A(1) = 1, A ( 2 )  1, A ( 4 )  2, A(2 r)  2 r2 (for r _> 3). A(pr) _ p , .  l ( p _ 1)  r
for any odd prime p and r _> 1,
A(2~p~lp~ 2. p~')  lcm(A(2r), A(p~1) , . . . , A(p~8)), where lcm denotes the least common multiple. It is not difficult to see that the order of a modulo n is at most equal to A(n), and that A(n) divides r It seems difficult to solve Basic Problem 2 completely. However, for those N ' s which are a product of two distinct primes, it is possible to find the associated q's such that (N, q) is a solution of Basic Problem 2. We shall deal with this problem in Section 3.8. Before ending this section, we make some preparations for the following two sections. Specifically, we introduce now the concept of negative order of an integer a modulo an integer N, and discuss the relation of the negative order with the order. D e f i n i t i o n 3.2.2 Let N and a be positive integers. If there is a positive (mod N ) , then we call the smallest such m integer m such that a m   1 the negative order of a modulo N (we coin the word "negord" to denote the negative order), and denote it as nordN(a). An integer a may have a negord modulo an integer N or not. As an example, we consider N  23. It is easily checked that 1, 2, 4, 8, 16, 9, 18, 13, 36 and 12 have no negord, but 17, 11, 22, 21, 19, 15, 7 and 14 have a negord. It is for the purpose of investigating the order that we introduce the concept of the negord. The relation of the order and negord is stated in the following theorem. T h e o r e m 3.2.3 Let N be a positive integer. If an integer a, where 1 ~ a < N  1 and gcd(a, N )  1, has a negord modulo N , then o r d N ( a )  2nordN(a). _ 1 (mod N). It follows that a 2 n ~ P r o o f : By definition a n ~ 1 (mod N). Hence, ordg(a) divides 2nordN(a). We now prove that o r d g ( a ) >_ 2nordg(a). If not so, then there are two possibilities o r d g ( a ) < nordN(a) and n o r d g ( a ) < ordN(a) < 2nordg(a). It is easily verified that in both cases there must exist an integer l, where 1 < 1 < nordN(a), such that a I   1 (mod N). This is contrary to the minimality of the negord of a modulo N. Thus, ordN(a) must be equal to 2nordg(a). [] A simple property of negord, which is similar to that of order, is the following conclusion.
3.3. A Basic Theorem and Main Bridge T h e o r e m 3.2.4 I f a m nordg(a)lm
and m / n o r d g ( a )
1
47
(mod N ) f o r a positive integer m ,
then
is odd.
P r o o f i Let m  n o r d N ( a ) h + l, where 0 < l < nordN(a). We first prove that h must be odd. From a "~  (an~ 1 (mod N) we get a t  (  1 ) h+l (mod N). By the definition of the negord h is odd. If l ~ 0, then 1 _> 1. The equation a I  1 ( m o d N ) gives that o r d g ( a ) < n o r d g ( a ) , which is contrary to Theorem 3.2.3. Therefore, 1  0. This completes the proof. [3 Now we give a characterization of primitive roots in terms of negord. This characterization is useful in searching for primitive roots. T h e o r e m 3.2.5 Let N be a positive integer > 4 which has p r i m i t i v e roots. T h e n a is a p r i m i t i v e root modulo N if and only if n o r d g ( a )  r
P r o o f : If a is a primitive root modulo N, by Proposition 3.2.1 N must be of the form pe or 2p e, where p is an odd prime. Thus r must be even. Since a r 1 (mod N), we get (a r
1)   0
+ 1)(a r
(mod N).
: 1 (mod N). Thus, the negord of a modulo N exists. This gives a r Now by Theorem 3.2.3 we have nordN(a)  r The remaining part then follows from Theorem 3.2.3. [3 This theorem shows that a necessary condition for a to be a primitive root 1 (mod N). It can be used as a criterion for primitivity. As is a r an example, we take N  43. Then we have 2r _ 2(N1)/2 _ 23 • 7  1 (mod N). But 2 is not a primitive root of 43. This is because nord43(2) 7~21.
3.3
A Basic
Theorem
and
Main
Bridge
As linear and sphere complexity are important security criteria for keystream sequences for additive stream ciphering, the control of these two parameters becomes one of the key issues in designing keystream generators. For this purpose the following Basic Theorem 3.3.1 is useful [100]. B a s i c T h e o r e m 3.3.1 Suppose N _ Plel " " P t e~ , w h e r e p l ," "" , pt a r e t p a i r wise distinct primes, and q is a positive integer such that gcd(q, N) = 1. T h e n f o r each n o n c o n s t a n t sequence s ~ of period N over G F ( q ) ,
L(s ~ ) > min{ordpl ( q ) , .  . , ordp, (q)} and
SCk(s ~ ) >_ min{ordpl ( q ) ,  . . , ordp, (q)}, if k < min{WH(sN), N  WH(s N) }.
Chapter 3. Primes, Primitive Roots and Sequences
48
To prove this theorem, we need the following two propositions.
Proposition
3.3.2 Let n l , n 2 , . . . , n t be pairwise relatively prime positive integers, and g an integer with gcd(g, ni) = 1 for each 1 5 prime. The integer 3 is, of course, a primitive root of such primes q by Proposition 3.5.8. Applying Theorem 3.2.5 yields the following corollary" C o r o l l a r y 3.5.10 Let N = 4 t  1 be a prime with t = 3 k + 2 . prime, then 3 is a primitive root modulo N if and only i] 32k+1 ~  1
(mod N),
33(2k+1) ~ 1
I f 2k + l is
(mod N).
It is clear that the above results can be further generalized to the cases in which t and 2 t  1 have square factors. It is easily seen from the above discussions that the following corollaries, which are similar to Corollaries 3.4.113.4.13 respectively, are true. C o r o l l a r y 3.5.11 If N  4t + 1 and t  3k + 1 are odd primes, then for any nonconstant sequence s ~ of period N over GF(3) and over G F ( 3 " mod N) with gcd(s, N  1) = 1 and with 3 s mod N being a power of a prime, 1. L(s ~ )  N 2. SCk (s cr 
orN1;
ifk<min{WH(sY),gWH(s N orN1, O, otherwise.
g)};
C o r o l l a r y 3.5.12 Let N  4 t  1 be a prime with t  3k + 2 (t odd or even). If ( g  1)/6 is prime, 32k+l ~  1 (mod N ) and 33(2k+1) ~ 1 (mod N), then for any nonconstant sequence s ~ of period N over GF(3) and over GF(3 s mod N ) with g c d ( s , N  1)  1 and with 3 ~ mod g being a power of a prime,
58
Chapter 3. Primes, Primitive Roots and Sequences 1. L(s ~ 1 7 6 2. SCk(s ~176
orN1,
ifk<min{WH(sg),YWH(s N orN1, 0, otherwise.
g)};
C o r o l l a r y 3.5.13 Let N = 4 t + 1 be a prime with t = 3 k + 1 = 2mtlt2, where tl and t2 are odd primes. If 3 2m+ltl ~  1
(mod N),
3 2m+lt2 ~  1
(mod N),
3 2"+~tlt2 ~ 1
(mod N),
then for any nonconstant sequence s ~176of period N over GF(3) and over G F ( 3 8 mod N ) with g c d ( s , N  1) = 1 and with 3 8 mod N being a power of a prime,
1. L(s ~176= N 2. SCk(s ~176
orN1; NorN1, if k < min{WH(sg), N  WH(s N) }; 0, otherwise.
The foregoing corollaries, which show how to control the linear and sphere complexity of sequences of period N over fields GF(3) and GF(3 8 mod N), are cryptographically quite useful in designing ternary keystream sequences. Some ternary keystream generators based on these results will be constructed in later chapters. 3.6
Primes,
Negord
and
Sequences
As shown in the foregoing sections, large primes having certain small primitive roots are useful in constructing cryptographic sequences. However, such primes may not be easy to find. We now show that some primes can also be used to construct cryptographic ternary sequences, even if they do not have primitive root 3. In Section 3.5 we have seen that primes of the form k2 TM + 1 are cryptographically valuable, when k is a large prime and m is absolutely small, i.e., the Tchebychef primes, which have primitive root 3. But two things should be made clear. First, primes of the forms 4p + 1, 8p + 1 and 16p + 1 seem hard to find, where p is also prime. Second, most of the known large primes of the form k2 m + 1 have a very small k which is not a prime. It seems difficult to say whether such large primes have a small primitive root other than 2. However, we will prove that some of them are cryptographically valuable, even though they may have no small prime primitive root.
3.6. Primes, Negord and Sequences
59
T h e o r e m 3.6.1 Let N  4t b 1 be a p r i m e with t  3k b 1  2mr ~, where t ~ is odd. Then for any nonconstant sequence s ~176 of period N over GF(3), 1. L(s ~176>_ 2 m+2; 2. SCk(s ~176
> 2 m+2, i f k < m i n { W H ( s g ) , N  W n ( s O, otherwise.
g)};
Proof: By Theorem 3.5.4 ordg(3) >_ 2m+2. Then the conclusion follows from Theorem 3.4.5. D This theorem demonstrates that every sequence of such a period N over GF(3) without bad balance has both large linear and sphere complexity, if t ~ is very small. Similarly, we can prove the following results for sequences over GF(5), GF(7), G F ( l l ) , GF(13) and GF(17). T h e o r e m 3.6.2 Let N = 4t + 1 be a p r i m e with t being one of the f o r m s 5k b 3 and 5k + 4 and t  2mr ~, where t ~ is odd. Then f o r any n o n c o n s t a n t sequence s ~176 of period N over GF(5), 1. L(s ~176_ 2m+2; > 2 m+2, i f k < m i n { W n ( s g ) , N  W n ( s g ) } ; 2. SCk (s ~176
O,
otherwise.
T h e o r e m 3.6.3 Let N = 4t + 1 be a p r i m e with t being of one of the f o r m s 7k + 1, 7k + 3 and 7k b 4 and t  2mr ~, where t ~ is odd. n o n c o n s t a n t sequence s ~ of period N over GF(7),
Then f o r any
1. L(s ~176_ 2m+2; 2. SCk(s ~176=
_ 2 m+2, i f k < m i n { W H ( s g ) , N  W H ( s 0, otherwise.
g)};
T h e o r e m 3.6.4 Let N = 4t + 1 be a p r i m e with t being of one of the f o r m s l l k + 3, l l k + 4, l l k + 5, l l k + 7 and l l k + 10, and with t = 2mr ~, where t ~ is odd. Then for any nonconstant sequence s ~176 of period N over G F ( l l ) , 1. L(s ~176> 2m+2; 2. SCk(s ~ ) 
> 2 m+2, i f k < m i n { W H ( s g ) , N  W H ( s 0, otherwise.
g)};
T h e o r e m 3.6.5 Let N = 4t + 1 be a p r i m e with t being one of the f o r m s 13k + 1, 13k § 5, 13k + 8,13k + 10, 13k § 11 and 13k + 12, and with t 3k + 1 = 2mr ~, where t ~ is odd. period N over G F ( 1 3 ) ,
Then for any n o n c o n s t a n t sequence s ~176of
Chapter 3. Primes, Primitive Roots and Sequences
60 1. L(s ~176> 2m+2; 2. SCk(s c~) 
{ _~ 2 m+2, if k < m i n { W H ( s g ) , g 0, otherwise.
WH(sg)};
T h e o r e m 3.6.6 Let N = 4t + 1 be a p r i m e with t being one of the f o r m s 17k + 1, 17k + 7, 17k + 9,17k + 10,17k + 11, 17k + 14, 17k + 15 and 17k + 16, and with t = 2mr ~, where t ~ is odd. Then for any n o n c o n s t a n t sequence s ~176 of period N over G F ( 1 7 ) ,
1. L(s ~176> 2m+2; 2. SCk(s ~1763.7
Prime
> 2 m+2, i l k < m i n { W H ( s N ) , g O, otherwise. Powers,
Primitive
Roots
and
WH(sN)};
Sequences
Cryptographically, we are interested in sequences with period equal to a square of a prime because their linear and sphere complexity are easy to control. We investigate now sequences of period N  r 2, with r an odd prime, over some fields. As a corollary of Theorems 3.4.2 or 3.4.3 we have the following results: C o r o l l a r y 3.7.1 Let r be an odd prime, N = r 2 and q a p r i m i t i v e root modulo r. A s s u m e that r 2 does not divide qr1 _ 1, then f o r any n o n c o n s t a n t sequence of period N over GF(q),
1. L(s ~176m u s t be equal to one of { x / ~ , x / ~  1, g  x / ~ , g  ~
+ 1, g 
1, N } ;
2. SCk(s ~176> v/N  1, if k < m i n { W U ( s N ) , N
 WU(sN)}.
P r o o f : Since q is a primitive root of r and r 2 does not divide qr1 _ 1 by assumptions, by Proposition 3.4.1 q must be a primitive root of r 2. Thus, by Proposition 3.1.1 the cyclotomic polynomials Q r ( x ) and Q~: (x) are irreducible over G F ( q ) . Again from the properties of cyclotomic polynomials it follows that x N  1 = (x
1)Q~(x)Q~2(x).
Note that d e g ( Q r ( x ) )  r  1 and deg(Qr2 (x))  r ( r  1) since q is a common primitive root of r and r 2. Combining these facts and the fact that the minimum polynomial of each sequence of period N over G F ( q ) divides x N  1 proves this theorem. [3 Corollary 3.7.1 can also be proved with the following Proposition 3.7.2 and the facts that x N
1 = (x
1)Q~(x)Q~2(x)
3.7. Prime Powers, Primitive Roots and Sequences
61
and
Q,.~(x)  Q,.(x"). The assumption that, r 2 does not divide qr1  1, ensures that Qr (x r) is irreducible over GF(q).
Proposition 3.7.2 Let fl(X), f2(x), . . . , f N ( x ) be all the distinct monic irreducible polynomials in GF(q)[x] of degree m and order e, and let t be an integer whose factors divide e but not (qm _ 1)/e. Assume also qm _ 1 (mod 4) if t  0 (mod 4). Then f l ( x t ) , f2(xt), . . . , f N ( x t) all the distinct monic irreducible polynomials in GF(q)[x] of degree m t order et.
> 2 that are and
For proof of this proposition, we refer to [222, pp. 9798]. To apply Corollary 3.7.1 to the design of keystream sequences over GF(q), we should find large primes r such that r 2 does not divide qr1 _ 1. A prime p satisfying the congruence
ap  I _ = I
(modp2)
is called a Wieferich prime with base a. Other primes are called non Wieferich primes with base a. Concerning the Wieferich primes, the following two problems are open [294]" 1. Given base a > 2, do there exist infinitely many Wieferich primes? 2. Given base a > 2, do there exist infinitely many nonWieferich primes? For our applications, we are mostly interested in finding some large nonWieferich primes with small bases a equal to a prime or a prime power, especially a = 2, 3, 5, 7, 11 and some small powers of these primes. Lehmer showed in 1981 that, with the exceptions of 1093 and 3511, there are no other Wieferich primes p < 6 x 109 with base 2 [213]. With base 3, it has been proven that, there are only two Wieferich primes 11 and 10006003, for p < 230 [328, 294, 35]. A table of the Wieferich primes with bases up to 99 and p < 232 has been given in [252]. The quotient a p1
q,(a)
 1

is called the Fermat quotient of p with base a. It is interesting to see that the residue modulo p of the Fermat quotient behaves like a logarithm: If p does not divide ab, then
qp(ab)  qp(a) + qp(b)
(mod p).
Chapter 3. Primes, Primitive Roots and Sequences
62 Also qp(p1)
(modp),
 I
qp(p + l )   1
(modp).
This logarithm property may be useful in designing cryptosystems. It is also interesting that Wieferich primes and Fermat quotients have connections with the first case of Fermat's last theorem [294]. It seems easy to find nonWieferich primes N = 4t + 1 with bases 2 and 3 and with t being odd [294]. Indeed, Wieferich primes are almost certainly rare. Thus, to construct sequences with period equal to a prime square, we can find a primitive root q of some prime r and test whether r 2 divides qrX _ 1. Of course, theoretical results can avoid such a test. Specific sequence generators of this kind will be discussed in later chapters.
3.8
P r i m e P r o d u c t s and Sequences
In this section we examine cryptographic sequences with period equal to the product of two distinct primes over some fields. We show t h a t there are m a n y cryptographically good sequences of this kind. Let N  r s be the product of two distinct odd primes, so there is no primitive root modulo N. However, we have N
1  H
Q d ( x )  (x  1 ) Q , . ( x ) Q ~ ( x ) Q , . s ( x ) ,
diN
and we show t h a t there exist integers N such t h a t many sequences of period N over some fields have both large linear and sphere complexity. First, we have the following theorem. T h e o r e m 3.8.1 L e t N = r s be a p r o d u c t o f two d i s t i n c t p r i m e s , q a c o m m o n p r i m i t i v e root o f both r a n d s. T h e n f o r every n o n c o n s t a n t sequence s ~176 over GF(q), 1. L ( s ~ ) >__m i n { r 
1,s
1};
2. SCk(s ~176_ min{r  1, s  1}; i f k < m i n { W H ( s N ) , N P r o o f i This is a special case of Basic Theorem 3.3.1. More generally, we have the following theorem:
 WH(sN)}.
c]
T h e o r e m 3.8.2 L e t r l , . . . , rt be t p a i r w i s e d i s t i n c t p r i m e s , N = rl 9.. rt , q a p o s i t i v e i n t e g e r s u c h that gcd(q, N) = 1. T h e n f o r each n o n c o n s t a n t s e q u e n c e s c~ o f period N over G F ( q ) , 1. L(s ~176_> m i n { o r d r l ( q ) , . . . , o r d r t ( q ) } ;
3.8. Prime Products and Sequences 2. SCk(s ~ >_ min{ordrl(q), WH(sg)}.
63 , ordr, (q)}, /f k < min{WH(sN), N 
Proof: This is a special case of Basic Theorem 3.3.1. [] Theorems 3.8.1 and 3.8.2 clearly show that to design sequences with large linear and sphere complexity, it suffices to find primes r and s such t h a t min{ordr(q), ords(q)} is large enough. 3.8.1
Binary Sequences and Primes
Basing on Theorem 3.8.1 or Theorem 3.8.2, we can easily prove the following corollaries" C o r o l l a r y 3.8.3 Let r = 4tl + 1, s = 4t2 + 1, r ~ s. If r, s, tl and t2 are odd primes, then for any nonconstant binary sequence s ~176 of period N = rs,
1. L(s ~176> m i n { r  1, s  1}; 2. SCk(s ~176> min{r  1, s  1}, if k < m i n { W H ( s g ) , g
 WH(sg)}.
Proof: By Proposition 3.4.6, 2 is a common primitive root of r and s. Then the conclusion of this corollary follows from Theorem 3.8.1 or 3.8.2. D Corollary 3.8.4 L e t r = 4 r 1  1 , s = 4 s 1  1 , and let ( r  l ) / 2
and ( s  l ) / 2 be odd primes. Then for each binary nonconstant sequence s ~176 of period N = rs,
1. L(s ~ ) >_ m i n { r  1, s  1}; 2. SCk(s ~ ) >_ min{r  1, s  1}; if k < m i n { W H ( s N ) , N  W H ( s N ) } .
Proof: By Proposition 3.4.7, 2 is a common primitive root of r and s. Then the conclusion of this corollary follows from Theorem 3.8.1 or 3.8.2. [] I f r, r l , s , ( s  1 ) / 2 are odd C o r o l l a r y 3.8.5 Let r = 4 r 1 + 1 , s = 4 s 1  1 . primes, then for each binary nonconstant sequence s ~176 of period N = rs,
1. L(s ~ ) _> m i n { r  1, s  1}; 2. SCk(s c~) _> m i n { r  1, s  1}; if k < min{WU(sN), N 
WH(sN)}.
Proof: By Propositions 3.4.6 and 3.4.7, 2 is a common primitive root of r and s. Then the conclusion of this corollary follows from Theorem 3.8.1 or 3.8.2. [3 We can also use Propositions 3.4.8 and 3.4.9 to get four kinds of binary sequences with period equal to a product of two primes, which have large linear and sphere complexity if they do not have bad balance between the number of l's and O's in one periodic segment.
Chapter 3. Primes, Primitive Roots and Sequences
64
3.8.2
Ternary Sequences and Primes
To design ternary sequences, we need prime pairs (r, s) which have the common primitive root 3 or prime pairs such that the orders of 3 modulo r and s are large enough. Propositions 3.5.33.5.8 enable us to to find such prime pairs having common primitive root 3. For example, Proposition 3.5.3 and Theorem 3.8.1 give the following corollary. C o r o l l a r y 3.8.6 Let r  4rl t 1, s  481 + 1, where r, rl, s, 81 all are p r i m e s , and rl  Sl  1 (mod 3). Then for each n o n c o n s t a n t ternary sequence s ~176 of period N  rs, we have
1. L(s ~ ) _ m i n { r 2. SCk(s ~
1, s 
1};
>_ min{r  1, s  1}; if k < m i n { W H ( s g ) , N
 WH(sN)}.
Since the primes of form q = 8p + 1 with p > 5 prime are Tchebychef primes, we obtain the following two corollaries from Theorem 3.8.1 plus Propositions 3.5.3 and 3.5.8. C o r o l l a r y 3 . 8 . 7 Let r = 4rl + 1, s = 8sl + 1, where r, rl, s, Sl all are p r i m e s , and rl  1 (mod 3). I f s > 41, then f o r each n o n c o n s t a n t ternary sequence s ~176 of period N = rs,
1. L(s ~176_> m i n { r 
1, s 
1};
2. SCk(s ~176> min{r  1, s  1}; if k < m i n { W H ( s N ) , N
 WH(sg)}.
C o r o l l a r y 3.8.8 Let r = 8rl + 1, s = 8s1 + 1, where r, rl, s, Sl all are primes. I f r > 41 and s > 41, then for each n o n c o n s t a n t ternary sequence s c~ of period g
" rs,
1. L(s ~176> m i n { r 
1, s 
2. SCk(s ~176> m i n { r 
1};
1, s  1}; if k < m i n { W H ( s N ) , N 
WH(sN)}.
In some later chapters we will construct generators which can realize the above binary and ternary sequences. Theorems about sequences with period equal to a product of two distinct primes over G F ( q ) can also be similarly established.
3.9. On Cryptographic Primitive Roots 3.9
On Cryptographic
Primitive
65
Roots
One role of primitive roots in stream ciphers has already been made clear in Sections 3.4 to 3.8. Primes serve as periods or as factors of periods for keystream sequences, while primitive roots determine the base fields over which the sequences are constructed. We call primitive roots which are small powers of small primes cryptographic primitive roots. Without small primitive roots which are a prime power, a prime may have little cryptographic value for stream ciphers. Thus the distribution of primitive roots has cryptographic importance. This distribution has been investigated by many scholars, to mention a few, Carlitz [48], Vegh [359, 360, 361], Szalay [348] and Shoup [331]. What we need for stream ciphers is small primitive roots which are primes or powers of primes. Investigations of the least primitive root have been done by Bach [8], Burgess and Elliott [45], Elliott [118], Wang [363], HeathBrown [160] and Murata [253]. To discuss some cryptographically interesting results in this field, we introduce now two notations following Murata. If p is an odd prime number, let g(p) denote the least positive integer which is a primitive root of p, and let G(p) denote the least prime which is a primitive root of p. We use the notation a(x) li
is a shortest linear recurrence relation the sequence s(i) ~176 satisfies. a(i)j  0 for all j with li+l [min{N1,N2} 1]/2; 2. if pl, ...,Pt are quadratic nonresidues modulo both N1 and N2, then
L(s ~ ) >_ min{N1, N 2 }  1. P r o o f : By Theorem 3.10.2 L(s ~176> min{ordg, (Pl), ordy2 (Pl), ..., ordg, (Pt), ordg2 (Pt)}.
72
Chapter 3. Primes, Primitive Roots and Sequences
By the proof of Theorem 3.10.5, o r d g , ( p j ) > [min{N1,N2}  1]/2. The conclusion of part one then follows. If Pl, ..., Pt are quadratic nonresidues modulo both N1 and N2, by the proof of Theorem 3.10.5 we obtain ordN~ (pj)  Ni  1. Thus, the conclusion of part two follows. [3 T h e o r e m 3.10.8 Let N 1 , N 2 , p l , . . . , p t
be pairwise distinct p r i m e s , m A s s u m e that m a x { p i + l 9i  1,2,...,t} < N1, m a x { p 2 + l 9i  1,2,...,t} < N2 and ( N 1  1)/2 and ( N 2  1)/4 are odd p r i m e s . For any n o n c o n s t a n t sequence s ~176 of period N over Z m ,
Pl""Pt,
and N 
NIN2.
1. L(s ~176> min{(N1  1)/2, ( N 2  1)/4}; 2. if p l , . . . , p t are quadratic nonresidues modulo both N1 and N2, then
L(s ~176> min{N1, N 2 }  1. P r o o f : By Theorem 3.10.2 L(s ~ ) _ min{ordN1 (Pl), ordg2 (pl), ..., ordgl (Pt), ordg2 (Pt)}. By the proof of Theorem 3.10.4, ordN2(Pj) >_ [N2  1]/4. By the proof of Theorem 3.10.5, ordNl(Pj) >_ [NI  1]/2. The conclusion of part one then follows. If P I , ...,Pt are quadratic nonresidues modulo both NI and N2, by the proofs of Theorems 3.10.4 and 3.10.5 we obtain ordNi(Pj)  Ni  1. Thus, the conclusion of part two follows. Q Lower bounds on the linear complexity of sequences over Zp~ can be developed as follows. Let s ~176 be a sequence of period N over Zv~ , and s(p) ~176  s ~176 mod p. Assume that L(s ~176 1 and si  a l s i  1 Jr a2si2 J r ' " Jr a l s i  l ,
i > l
is a shortest linear recurrence relation for s ~176 then s(p)i  a ( p ) l s ( p ) i  1 + a ( p ) 2 s ( p ) i  2 + ' "
+ a(p)ls(p)il,
i >_ l,
where a(p)i  ai mod p, and s(p)i  si mod p. It follows that L(s ~ ) _ L(s(p)~176
(3.4)
This inequality will provide a bridge for transferring bounds on the linear complexity of sequences over Zp to those of sequences over Zp~. T h e o r e m 3.10.9 Let N  N ~ ~N ~ 2 . . . N n~, and m  pk, where N1, ..., Nr, p are pairwise distinct p r i m e s . For any sequence s ~176of period N over Z m , if s(p) ~176 is not a c o n s t a n t sequence, then
L(s ~176_ min{ordgl (p), ..., ordg. (p)}.
3.10. Linear Complexity of Sequences o v e r
Zm
73
P r o o f : By (3.4) L(s ~176>_ L(s(p)~ The conclusion then follows from Theois nonconstant. E] rem 3.3.1 and the assumption that s(p) ~176 Since we have many ways to control ordg~ (p), in many cases the linear complexity of sequences over Zp~ is easy to control. As mentioned before, it is necessary to control the linear complexity of sequences over Zpk due to the ReedsSloane algorithm [293]. Since the arithmetic of Z2~ can be efficiently implemented on standard processors, we describe some tight bounds on the linear complexity of sequences over Z2~. These bounds have already been set up for sequences over fields [100]. T h e o r e m 3 . 1 0 . 1 0 Let N = 8k + 3 and ( N  1)/2 both be odd primes, and let e be a positive integer. For any sequence s ~176 of period N over Z2~, if the is a nonconstant sequence, then binary sequence s(2) ~176 L(s ~ 1 7 6
orN.
P r o o f : Let N = 2t + 1. By assumption t is prime, so the order of 2 modulo N must be one of 2, t and 2t. Since N  8k + 3, 2 (N1)/~   1 (mod N). Because t _> 3, so N _> 7. Thus, the order of 2 modulo N must be 2t  N  1. The conclusion then follows from Theorem 3.10.9. [3 T h e o r e m 3 . 1 0 . 1 1 Let N  8 k  3 and ( N  1)/4 both be primes, and let e be a positive integer. For any sequence s ~176 of period N over Z2~, if the binary sequence s(2) ~176 is a nonconstant sequence, then L(s ~ 1 7 6
orN.
P r o o f : Let N  4t + 1. By assumption t is prime, so the order of 2 modulo N must be one of 4, t, 2t, and 4t. Since N  8 k  3, we have 2 (N1)/2 z  1 (mod N). Since both t and N are prime, N _> 13. Thus, ordN(2) ~: 4, since 24  1  1 5 ~ 0 ( m o d N ) . Since2 ( N  1 ) / 2  2 2 t   1 (mod N) , the order of 2 modulo N is not equal to t or 2t. Hence, the order of 2 modulo N must be 4 t  N  1. The conclusion then follows from Theorem 3.10.9. o T h e o r e m 3 . 1 0 . 1 2 Let N1  8kl + 3 and N2  8k2 + 3 be primes, where 4kl + 1 and 4k2 + 1 are also primes. For any sequence s ~ of period N1N2 over Z2., if the binary sequence s(2) ~ is a nonconstant sequence, then L(s ~176__ min{N1, N 2 }  1. P r o o f : By the proof of Theorem 3.10.10 ordN1 (2)  N1  1, ordg2 (2)  N2  1. Then the conclusion follows from Theorem 3.10.9.
[3
Chapter 3. Primes, Primitive Roots and Sequences
74
T h e o r e m 3 . 1 0 . 1 3 Let N1 = 8kl  3 and N2 = 8k2  3 be primes, where of period N I N2 2kl  1 and 2k2  1 are also primes. For any sequence s ~176 is a nonconstant sequence, then over Z2~, if the binary sequence s(2) ~176 L(s ~ ) _ min{N1, N2 }  1. P r o o f : By the proof of Theorem 3.10.11 ordN~ ( 2 )  N1  1, o r d N 2 ( 2 )  N 2  1. Then the conclusion follows from Theorem 3.10.9. T h e o r e m 3 . 1 0 . 1 4 Let N1 = 8kl b 3 and N2 = 8k2  3 be primes, where of period N I N 2 4kl + 1 and 2k2  1 are also primes. For any sequence s ~176 is a nonconstant sequence, then over Z2~, if the binary sequence s(2) ~176 L(s ~176>_ min{N1, N2 }  1. P r o o f : By the proof of Theorems 3.10.10 and 3.10.11 ordg~ ( 2 ) = N1  1, ordg2 ( 2 ) = N 2  1. Then the conclusion follows from Theorem 3.10.9. D The bounds of Theorems 3.10.9, 3.10.10, 3.10.11, 3.10.12, 3.10.13, and 3.10.14 show how to control the linear complexity of sequences over Z2. For sequences over Zp~, one can develop similar bounds. A more general bound on the linear complexity of sequences over Zm is described by the following theorem. Theorem and let m gcd(N,m) sequences L(s ~
3 . 1 0 . 1 5 Let N  N~ 1N~ 2... N r'~ , where Ni are distinct primes,  p~Ip~2...p~t, where Pi are pairwise distinct p r i m e s such that = 1. For any sequence s ~176of period N over Zm, if one of the s(pj)~176 is nonconstant, then _> min{ordNx (Pl), ..., ordN,. (Pl), ..., ordNa (Pt), ..., ordN,. (Pt)}.
P r o o f : Combining Lemma 3.10.1 and Theorem 3.10.9 can prove this theorem. D All of the bounds presented before are special cases of this more general bound. Whether this bound is tight depends on the parameters Ni, ni, Pi, ei. By choosing proper values for these parameters one can easily control the linear complexity of sequences over Zm. Here we use parameters of special forms to control the linear complexity, instead of using some cryptographic functions to do so.
3.11. Period and its Cryptographic Importance 3.11
Period
and
its Cryptographic
75 Importance
Let us stipulate that the periods mentioned in this section are least periods. Practical keystream sequences are usually periodic, or at least ultimately periodic, because the proposed sequence generators are usually finite state machines. From the public literature about stream ciphers we could see that little attention has been paid to the particular nature of periods, at most to the size of them. To control the size of the period for sequences, it suffices to control the linear complexity of sequences, since linear complexity is less than or equal to the period. To design keystream generators, we usually need to consider some of the following problems from both security and implementation viewpoints: 1. the computational complexity of the sequence producing algorithm; 2. the control of the linear complexity of the keystream sequences and of the size of the period; 3. the control of the sphere complexity of the keystream sequences; 4. the control of the frequency distribution of the elements from the ring or field over which the sequence is constructed; 5. the control of the pattern distributions of the output sequences; 6. the control of the difference property of some sequenceproducing functions in the generator; 7. the control of the nonlinearity of some sequenceproducing functions with respect to some operations in the generator; 8. the control of the correlation property between some output sequences of different stages in the generator. Traditionally the procedure for designing keystream generators is: first to have an idea about the structure of a generator which is based on some technically simple devices from the viewpoint of fast implementation, then to control the cryptographic properties of the keystream sequences from the security viewpoints by choosing proper parameters for the generator, for example, the choosing of some cryptographic functions. In fact it is usually difficult to get theoretical results about some items above for many proposed keystream generators. Those commonly known for some generators are the linear and sphere complexity of the output sequences, the frequency distribution of elements of the field over which the sequence is generated, and the nonlinear order of its sequenceproducing functions.
76
Chapter 3. Primes, Primitive Roots and Sequences
Now the question is which of the above problems should be considered first. The order of considering the above problems is cryptographically significant. For instance, many sequence generators cannot generate sequences of arbitrary period. But there do exist some which can produce every periodic sequence by selecting some of the parameters. Thus, if we first consider the performance problem, then we may have a stream cipher system whose security problems are difficult to coordinate. The structure of a generator determines whether there are tradeoffs between some cryptographic requirements and the number of tradeoffs if there are any. In this book we consider the design of keystream generators in the following order: 1. choose first cryptographically good periods; 2. design generators which can produce sequences of these periods; 3. control some cryptographic properties above of the generator and at the same time consider the performance of the generator. The importance of the period for sequences is easily seen from the results in this chapter. Speaking specifically, cryptographically good periods ensure automatically large linear and sphere complexity, provided only that the sequence does not have bad balance of the elements of the field over which the sequence is generated. This approach has the advantage of making the system have as few tradeoffs as possible. The importance of periods will be further discussed in some of the following chapters. As an example, we consider some special periods. Since the order of 2 modulo 2m  1 is m, which is very small, compared with the period 2 m  1, the linear and sphere complexity of binary sequences of period 2 TM are hard to control. Similarly, since the order of 2 modulo 2 m 4 1 is 2m, the linear and sphere complexity of binary sequences of period 2 TM 4 1 are also hard to control. Finally, for some generators such as the NSGs the control of the period is easy, while for others it is quite hard. Thus, the structure of a generator determines whether cryptographic aspects of the generator are easy to control or not.
Chapter 4 Cyclotomy and Cryptographic Functions
The word cyclotomy means "circledivision" and refers to the problem of dividing the circumference of the unit circle into a given number, n, of arcs of equal lengths. The rulerandcompass treatment of this problem was discussed in Euclid's time. Gauss' remarkable result is that, if n is a Fermat prime, then the regular polygons of 2Sn sides are constructed with ruler and compass [346]. Our interest in the theory of cyclotomy has stemmed from the rather remarkable fact that the cyclotomic numbers actually represent the difference property and the nonlinearity of some cryptographic functions from Zp's to some Abelian groups [98] as well as the twocharacter distributions and autocorrelation property of some cyclotomic sequences. In this chapter we shall construct cryptographic functions based on cyclotomic numbers. We now fix for this and later chapters the notation (x mod q) mod k, by which we mean that first the number x should be reduced modulo q to give a number between 0 and q  1, and then that number should be reduced modulo k to give an integer between 0 and k  1. We make some references to difference sets and almost difference sets in this chapter. The reader not already familiar with these notions should refer to Sections 6.1 and 6.6. 4.1
Cyclotomic
Numbers
Let N = d] + 1 be an odd prime and let 0 be a fixed primitive element of ZN. Denote the multiplicative subgroup (0 d) as Do, then the coset decomposition of Z~v with respect to the subgroup Do is then Z~V  
d1
Ui= o
77
Di,
Chapter 4. Cyclotomy and Cryptographic Functions
78
where Di  OiDo for i >_ 0. The coset Dt is called the index class l [14] or cyclotomic class 1 [346]. Let (1, m)d denote the number of solutions (x, y) of the equation 1yx,
(x,y) E Dt x Dm,
or equivalently, (l, m)d = [(D, + 1) n Dm[. These constants (/, m)d are called cyclotomic numbers of order d [85, 211, 13, 14, 254]. Clearly, there are at most d 2 distinct cyclotomic numbers of order d and these numbers depend not only on N, d, l, m, but also on which of the r  1) primitive elements of ZN is chosen. The following elementary facts about cyclotomic numbers are not hard to prove [85, 14]: (A) ( l , m ) d   ( l ' , m ' ) d w h e n l  l '
(modd) andmm' (m,1)d, f e v e n (m + d/2, l + d/2)d,
(B) (1, m)d  ( d  l, m  1 ) d 
(modd); f odd
(C) ~~d1 m0 (l, m ) d  f  nl where
1, 1, 0,
nt
(D)
10 (modd), feven l d/2 ( m o d d ) , f o d d otherwise
d1 (1, m)d  f  km, where ~]l=O km 
(E) E o
~~m=o(l, m)d  d / ''
1, 0,
if m  0 (modd); otherwise
1  N
2.
(F) (l, re)d,  (sl, Sin)d, where (/, re)d, is based on the primitive root 0 ' (mod N); necessarily then s is prime to N  1.
0s
These elementary facts are very important to our applications, as Properties (CE) indicate several kinds of conservations between the cyclotomic numbers. They are the theoretical basis for the necessity of keeping the stability of local nonlinearities of some cryptographic functions. The meaning of the cyclotomic numbers can be seen from another viewpoint. By definition the set { (/, m)d : m = 0, 1 , '  ' , d  1} represents how the set Dl + 1 is distributed among the cyclotomic classes. Note that ](DI + 0 k) n Dm]  I(D(l+N_l_k) mod d + 1) n D(m+N_l_k) mod d]
4.2. Cyclotomy and Cryptography
79
for each k, the d sets of numbers {(1, m)d : m  0 , 1 ,    , d  1} for 1 0, 1,. , d  1, represent also the distribution of the elements of any set Dl + w over the d cyclotomic classes, where w ~ 0. As observed above, cyclotomic numbers represent in fact the difference property of the partition { D 0 , D 1 , . . . ,Dd1} of Z~r. So they should have connections with difference sets. Necessary and sufficient conditions, that the dth power residues of a prime N  df + 1 form a difference set, are that d is even, f is odd and that
(1, O)d= (f  1 ) / d
forl=0,1,.,d/21.
The existence problem of such difference sets has been solved for d  2 ([274], i.e., the quadratic residues of primes g = 4 t  1), d = 4 ([63], the biquadratic residue difference set for N = 2t 2 + 1, t odd), d  8 ([210], the octic residue difference set for N  8a 2 + 1 = 64b 2 + 9, k  a 2, A  b2 with a, b odd). The best known dth power residue difference sets are the quadratic residue sets of Paley [274], and the biquadratic residue difference set of Chowla [63]. Their applications will be investigated in later chapters. A general theory of the dth power residue difference sets has been developed by Lehmer [210]. Detailed discussions can also be found in Storer [346] and Baumert [14]. 4.2
Cyclotomy
and
Cryptography
Cyclotomic numbers are quite useful in designing cryptographic functions for some stream ciphers. This section will make clear the importance of cyclotomy in the design and analysis of some stream ciphers. This will be done from several points of view. We begin with the additively natural stream ciphers. 4.2.1
Cyclotomy and Difference Parameters
The differential cryptanalysis of the additive natural stream ciphers was studied in [98]. We now give a brief description of the analysis. Assume that (G, +) is the Abelian group over which the keystream sequence is constructed, and IG I  n. For each gi C G let Ci  {x E ZN : f(x) = gi}, where f(x) is the cryptographic function of the NSG in Figure 2.5.b. The ordered set {Co, C1, . . . , Cn1} is called the characteristic class. For any ordered partition {Co, C 1 , ' " , Cn1} of ZN, there exists a function f(x) with this partition as its characteristic class. The differential analysis of the system of Figure 2.5.b is the analysis of the following difference parame
ters: d f ( i , j ; w ) = lCiN(Cj  w ) l ,
(gi,gj) e G • G, w e ZN.
Chapter 4. Cyclotomy and Cryptographic Functions
80
Thus d I ( i , j; w) is the number of solutions of the equation w  xj  xi for 9j e c j , ~ e c~.
The following simple facts are cryptographically important, as they represent some conservation rules between the difference parameters. dl(i,j;w)
ICiI,
gi E G, w E ZN;
J  ICj l; gJ e G, w E ZN;
Zdl(i'j;w) i
al(i,j;w)N,
weZN.
i,j
When n = 2 (so G = Z2) the differential analysis for the additive natural stream ciphers is important because it is equivalent to the following analyses: the nonlinearity analysis of the cryptographic function f(x); the autocorrelation analysis of the keystream sequences; the stability analysis of the mutual information between the key and the twobit keystream; and the transdensity analysis of the system, by which we mean that the analysis of the probability of agreement between two encryption or decryption transformations specified by two keys [98, 100]. These equivalences have already been proved in Section 2.4. One cryptographically important aspect of cyclotomic numbers can be shown as follows. Let the notation be the same as in the previous section, so in particular N is an odd prime and N = df + 1. What we want to do now is to construct cryptographic functions from Z N to an Abelian group (G, +) of d elements, where G = {go, g l , " ' , gd1 }. Let Di be the cyclotomic classes of order d defined in the previous section and C0DoU{0},
CiDi,
i1,...,d1.
Without considering the implementation problem, we define a function from Z g to (a, +) as" f ( x )  gi iff x E Ci. If i. j 5r 0, then we have d s ( i , j ; O k )  (i + N 
l  k,j + N
l  k)d.
On the other hand, we have ds(0 , 0; Ok)  [ ( D N  I  k
U {0})fl ( D N  I  k U {0}  1)l.
It follows that
0 0 and n is an odd prime > 92"~/2 m+2. We call them Tchebychef primes owing to the cryptographically important result of Tchebychef (Proposition 3.5.8).
5.2.1
Their Cryptographic Significance
The cryptographic significance of the Tchebychef primes can be strengthened by the following three results, which can be easily derived from Proposition 3.5.8.
Chapter 5. Special Primes and Sequences
118
P r o p o s i t i o n 5.2.1 I f p and q = 8 p + 1 are both odd primes with p > 11, then 3 is a primitive root o] q.
P r o p o s i t i o n 5.2.2 If p and q = 16p + 1 are both odd primes with p > 411, then 3 is a primitive root of q.
P r o p o s i t i o n 5.2.3 I f p and q  32p + 1 are both odd primes with p > 1345211, then 3 is a primitive root of q. Primes like those above can be used to design ternary sequences with period 8p + 1, 16p + 1 or 32p + 1, and with period equal to the product of two such primes. Sequences over GF(5) and GF(7) based on primes of these forms can also be designed.
5.2.2
E x i s t e n c e and Search P r o b l e m
Tchebychef primes are of the form p2 n + 1 with p being relatively much larger than n. For our cryptographic purposes we are concerned with whether there are large primes of the form q  Ip + 1 with 1  8, 16 and 32. Dirichlet's theorem on primes in arithmetic progressions says, given n > 1, there exist infinitely many integers k _> 1, such that k • 2 ~ + 1 is a prime. This result shows it is possible that there are large Tchebychef primes. However, it is still an open problem whether such primes exist. Many large primes of the form k x 2 n + 1 with k being small have been found [9], but such primes are not Tchebychef primes. For the purpose of designing cryptographic sequences, the investigation into the following problems is important.
R e s e a r c h P r o b l e m 5.2.4 Find large primes p such that 4p + 1 is also a prime.
R e s e a r c h P r o b l e m 5.2.5 Find large primes p such that 8p + 1 is also a prime.
R e s e a r c h P r o b l e m 5.2.6 Find large primes p such that 16/9 + 1 is also a prime.
R e s e a r c h P r o b l e m 5.2.7 Find large primes p such that 32p + 1 is also a prime.
A fact of possible cryptographic interest about primes of the form 8p + 1 is the following. Vaughan proved in 1973 that either there are infinitely many primes p such that 8p + 1 is a prime or the product of two distinct primes, or there are infinitely many primes p such that 8p + 1 is the product of three distinct primes [357].
5.3.
5.3
Other Primes of Form k x 2 n + 1 and Sequences
Other
Primes
of Form
k x 2" + 1 a n d
119
Sequences
Tchebychef primes seem hard to find, but m a n y primes of the form k x 2 n + 1 with small k and large n have been found. Much attention has been paid to numbers of this form, because the factors of Fermat numbers are of such a form. A search for such primes was done by M a t t h e w and Williams [238], Robinson [303], Shippee [330] and Baillie [9]. According to [9], the m e t h o d used to test k x 2 '~ + 1 for primality was stated originally by P r o t h [291], and proven in [302]. The idea of the method is" Given N = k2 n + 1 with k < 2 n, we look for a number D which makes the Jacobi symbol ( D / N )   1 . If 3 does not divide k, we may take D  3; if 3 divides k, a (usually short) search is conducted for a suitable D. Then N is prime if and only if D (Nl)~2 _  1 (mod N). In [9] all primes of the form k x 2 n + 1 for k odd, 1 2 does not divide a and if there exists an integer b such that a = b2 mod p, then a is called a quadratic residue modulo p; otherwise, it is a quadratic nonresidue modulo p. The Legendre symbol is defined by
(a) P
 (a/p) =
{0
+1, if a is a quadratic residue modulo p,  1 , otherwise.
To analyze the order of integers modulo a prime, the following theorem of
Chapter 5. Special Primes and Sequences
124
Table 5.3" T h e first 33 M e r s e n n e primes.
p 2
Year
Discover


3


5


7

13 17 19 31 61 89 107 127 521 607 1279 2203 2281 3217 4253 4423 9689 9941 11213 19937 21701 23209 44497 86243 110503 132049 216091 756839 859433
1461 1588 1588 1750 1883 1911 1913 1876 1952 1952 1952 1952 1952 1957 1961 1961 1963 1963 1963 1971 1978 1979 1979 1982 1988 1983 1985 1992 1994
Anonymous P . A . Cataldi P . A . Cataldi L. Euler I . M . Pervushin R . E . Powers E. Fauquembergue E. Lucas R . M . Robinson R . M . Robinson R . M . Robinson R . M . Robinson R . M . Robinson H. Riesel A. Hurwitz A. Hurwitz D . B . Gillies D . B . Gillies D . B . Gillies B. Tuckerman C. Noll & L. Nickel C. Noll H. Nelson & D. Slowinski D. Slowinski W . N . Colquitt & L. Welsh D. Slowinski D. Slowinski D. Slowinski & P. Gage D. Slowinski & P. Gage
5.4. Primes of Form ( a
l ) / ( a  I) and Sequences
n 
125
Euler is sometimes useful, which is
(p)
 a (v1)/2
(mod p).
Let a be a nonzero integer, and b be an odd integer, such t h a t gcd(a, b)  1. The Jacobi symbol (a/b) is defined as an extension of Legendre's symbol as follows. Let Ibl  [IplbP ep (with ep > 1). Then
For a Mersenne prime p = 2 m  1, it is easy to see t h a t ordp(2)  m. This means t h a t it is difficult to control the linear and sphere complexity for binary sequences with period a Mersenne prime. It is clear [294] t h a t if n is odd, n > 3, then Mn  2 n  1  7 (mod 12). And if N  7 (mod 12), then by quadratic reciprocity the Jacobi symbol
(3)
=
$
(1)
=1.
Thus for Mersenne primes My, we have 3 (Mp1)/2   1 (mod Mp), which corresponds to the congruence 2 (q1)/2   1 (mod q) if q is an oprime. This means t h a t 3 is a candidate to be a primitive root modulo a Mersenne prime. However, this does not ensure the primitivity of 3 modulo a Mersenne prime. For example, 3 is a primitive root of M3, but not a primitive root of Ms. W h a t we can prove about the order of 3 is ord(3)  2u, where u is a factor of (M v  1)/2  2 p  1  1. This is true for every a such t h a t a ( M p  1 ) / 2   1 (rood MB). To analyze the order of integers modulo a Mersenne prime generally, we have to observe the factors of 2p1  1 for those Mersenne primes Mp. In the book by Brillhart, Lehmer, Selfridge, Tuckerman and Wagstaff, a table of the factorization of 2 n  1, n _ 310, was given [38]. Many more factorizations have been done since. According to the tables 2 n  1 usually has m a n y small factors. So it seems difficult to design cryptographic sequences with period a Mersenne prime due to the difficulty of controlling the linear and sphere complexity of those sequences. For Mersenne primes Mp for which the factorization of 2 p1  1 is not known, their cryptographic value is still an open problem. R e s e a r c h P r o b l e m 5.4.1 Investigate whether Mersenne primes have prime primitive roots or small primitive roots which are a power of a prime.
Chapter 5. Special Primes and Sequences
126
Mersenne primes Mp with 2p1  1 having only small factors are bad cryptographic primes, since they have no good partner field GF(q) such that the linear and sphere complexity of sequences of period Mp over the field are easy to control. They are quite different from Sophie German primes, which are an excellent partner for many finite fields. However, this evaluation is only based on the ease of controlling the linear and sphere complexity. 5.4.2
C r y p t o g r a p h i c P r i m e s of F o r m ((4u) n 
1 ) / ( 4 u  1)
Primes of the form ((4u) ~  1 ) / ( 4 u  1) with u odd, may be cryptographically useful. We first prove the following result. Let p  ((4u) n  1 ) / ( 4 u  1) be a prime, then
p  1  4u(4 ),_un1 ,  1. 4u 1 Since 4u is even, we have the following theorem. T h e o r e m 5.4.2 A prime of the form [(4u) ~  1 ] / ( 4 u 
1)
o, im r
and only if u is odd. It follows from Section 3.4 that oprimes could be very useful in designing cryptographic binary sequences. For the case u  3, Williams and Seah made a search for all n with 2 _< n < 1000 [392]. From their table four large primes are found, i.e., 12 9 7  1 11
121~  1 '
11
12 3 1 7  1 '
11
12 3 5 3  1 '
11
These primes are of the form 4t + 1 with t odd. Obviously, t is an odd composite. To see their cryptographic value with respect to GF(2), we need to solve the following problem. R e s e a r c h P r o b l e m 5.4.3 Study the primitivity of 2 and the order of 2 mod
ulo the above four primes. For the purpose of designing binary keystream sequences, we need large primes of the form [(4u) ~  1 ] / ( 4 u  1) with u odd for which 2 is a primitive root 2 or at least has large order. Thus, we propose the following general problem. R e s e a r c h P r o b l e m 5.4.4 Find large primes of the form [(4u) n  1 ] / ( 4 u  1)
with odd u >_ 3 for which 2 has large order.
5.5. n! :1:1 and p # :1:1 Primes and Sequences 5.4.3
127
Prime Repunits and their Cryptographic
Values
Repunits are the decimal integers 1, 11, 111, 1111, . . . . R n is used to denote 11...1  (10~  1)/9. The known facts about repunits are 1. if Rn is a prime, then n must be a prime; 2. a repunit (~ 1) cannot be a square; 3. a repunit (~ 1) cannot be a cube. The known prime repunits are only R2, R19, R317 and R1031, of which R317 was discovered by Williams [391], R1031 by Williams and Dubner [393]. These are the only known prime repunits Rp for p _ 10000. Though it is still an open problem whether there are infinitely many prime repunits, the only cryptographically interesting prime repunit is R317 since R1031 is too large and the others are too small. To evaluate the cryptographic value of this prime repunit, we first analyze whether it is an oprime. Since
Rn + 1 4 we have Rn  4 u theorem.
=
10 n1 + 10 n2 + .  . + 103 4
+ 28,
1 with u even for each n >_ 3. This proves the following
T h e o r e m 5.4.5 Prime repunits are eprimes, and 2 is therefore never a primitive root of a prime repunit.
To see the cryptographic value of R317 in designing keystream sequences over GF(a), we should solve the following problem. Research Problem of a modulo R317.
5.5
n! =k 1 a n d
5.4.6 For each positive integer a, investigate the order
p# • 1 Primes
and
Sequences
Let p # denote the product of all primes that are no larger than p; for example, 7 #  2 • 3 x 5 x 7 = 210. The primality of numbers of the forms n! + 1 and p # + 1 was investigated by Borning [27], Templer [350], Buhler, Crandall and Penk [43], and Caldwell [46]. In [43, 46] primes of the forms n !  1 and p #  1 were also investigated. These investigations have led to the determination of all primes less than 101~176176 of the forms n! + 1 and p # =k 1 [43]. These primes are
Chapter 5. Special Primes and Sequences
128
9 primes N  n! + 1 for n  1, 2, 3, 11, 27, 37, 41, 73, 77, 116, 154, 320, 340, 399, 427, 872, 1477; 9 primes N  n !  1 for n  3, 4, 6, 7, 12, 14, 30, 32, 33, 38, 94, 166,324,379, 469, 546, 974, 1963, 3507, 3610; 9 primes N  p # + 1 for p  2, 3, 5, 7, 11, 31,379, 1019, 1021, 2657, 3229, 4547, 4787, 11549, 13649, 18523, 23801, 24029; 9 primes N  p #  1 for p  3, 5, 11, 41, 89,317,991, 1873, 2053, 2377, 4093, 4297, 4583, 6569, 13033, 15877. Primality was verified by the classic N 2  1 primality test of [37]. Primes of the forms n! 41 are obviously eprimes, so 2 is never a primitive root of these primes. Thus, to design good binary sequences with period of such a prime we have to investigate the orders of 2 modulo these primes. Comparatively, primes of the form n! + 1 seem to be worse than those of the form n !  1, because n[ has many more small factors than n !  2. Much more cryptographically interesting is the fact that there may exist large Sophie Germain primes of the form ( n !  2)/2. Let Nn = n !  1, then (N3  1)/2  2, (N6  1)/2 = 359,
(N4 1)/2 11, (N7 1)/2 2519.
The first three are primes; but ( N T  1) / 2 is not prime. So solving the following problem is cryptographically interesting. R e s e a r c h P r o b l e m 5.5.1 Analyze whether ( N 1 2  1 ) / 2 , ( N 1 4  1 ) / 2 , ( N 3 0 1)/2 and (N32  1)/2 are prime. Primes of the forms p # + 1 seem also cryptographically interesting. Primes of the form p # + 1 must be of the form 4 t  1. It is not difficult to get the following results" 5#+1 7#+1 11#+1 31# + 1

31 6211 2311 200560490131
= = = 
4x81; 4x531; 4x5781; 4 x 50140122533 1.
These calculations show that primes of the form p # + 1 may be oprimes or eprimes. If some of them are oprimes, we still need to know whether they have primitive root 2 or whether the orders of 2 modulo them are large enough.
5.6. Twin Primes and Sequences over G F ( 2 )
129
Primes of the form p #  1 must be of the form 4t + 1. By calculations 5#1=29=4x7+1; 11#  1  2309 = 4 x 577 + 1; 13#  1  30029 = 4 x 7507 + 1; 41#14xt+1, withteven. Let Pp  p # 1. These results show that ( P p  1)/4 is prime for p = 5, 11, 13. If Pp and (Pp 1)/4 are both prime, they could be very useful in designing cryptographic sequences over GF(2), G F ( 3 ) and G F ( 5 ) . Thus, the investigation of the following problem is worthwhile. R e s e a r c h P r o b l e m 5.5.2 Study whether (Pp 1)/4 is prime for p  41, 89, and 317. 5.6
Twin
Primes
and
Sequences
over
GF(2)
Twin primes, i.e., pairs of primes of the form p and p + 2, occur very high up in the integers. Statistical results indicate that the twins tend to thin out compared with the primes. Some theoretical evidence is given by the following theorem of Brun: 1
(p,pb2) t w i n p r i m e s 1.90216054.
1
p+2
)
The constant B is now referred to as Brun's constant, which was calculated based on intuitive considerations about the distribution of twin primes. For details about the calculations, one may consult Shanks [326] and Brent [32]. Brun's theorem implies that there are not very many twin primes compared with the total number of primes, since ~p p r i m e 1/p diverges. However, for cryptographic purposes what we are concerned with is not whether there are infinitely many twin primes, but whether there are large enough twin primes. Statistical results indicate that there should exist infinitely many twin primes. For example, if we let 7r2(x) denote the number of primes p such t h a t p + 2 is also prime and p + 2 < x, it is known that 7r2(10 3) 35, 7r2(10 4) = 205, r2(105) = 1224, 7r2(106) = 8169, 7r2(107) = 58980, 7r2(108)  440312 and ~'2(1011) 224376048 [294]. At present the largest known pairs of twin primes are 1706595 x 211235 =]=1 and 571305 x 277~ + 1, which were found in 1990 by Parady, Smith and Zarantonello [275]. For our cryptographic purposes the pairs of twin primes presented in Table 5.4, which are based on [275, 294], seem too large.
130
Chapter 5. Special Primes and Sequences Table 5.4: T h e known twin primes having m o r e t h a n 1000 digits.
5.6.1
Twin Primes
Discover
Year
107570463 x 10 z25~ 4 1 43690485351513 x 101995 4 1 520995090 x 10669.4 4 1 519912 x 10142~ 4 1 217695 x 1014~ 4 1 219649815 x 104481 4 1 1639494 x (24423  1) 4 1 2445810 x (24253  1) 4 1 218313 x 10 l~ 41 499032 x 101~176 4 1 403089 x 101~176 4 1 256200945 x 23423 4 1 663777 x 2765~ 4 1 571305 x 277~ 4 1 1706595 x 211235 4 1
Dubner same Aktin & Rickert Dubner same Aktin & Rickert Keller same Dubner same same Aktin & Rickert Parady, Smith, Zarantonello Parady, Smith, Zarantonello Parady, Smith, Zarantonello
1985 1985 1984 1984 1984 1983 1983 1983 1985 1984 1984 1980 1990 1990 1990
The Significance of Twins and their Sexes
Before e v a l u a t i n g the c r y p t o g r a p h i c value of twin primes, we prove a c r y p t o graphically i n t e r e s t i n g p r o p e r t y of twin primes. To this end, we need s o m e definitions [100]. D e f i n i t i o n 5 . 6 . 1 Let (p,p + 2) be a pair of twin primes and p = .=(p) ( m o d 4), where .=(p) = 41. Then we call E(p) the sex c h a r a c t e r i s t i c of the
twins. 5 . 6 . 2 If the twins (p,p + 2) = (4t  1, 4t + 1) for some t, then we say that the twins have the same sex; otherwise, we say that they have different sexes.
Definition
In the above definitions, we say t h a t twin primes (p, p + 2) have t h e s a m e sex, because in the expression of the form 4u 4 1, the u's for b o t h p a n d p + 2 are t h e same, and have therefore the s a m e parity, if p = 4 t  1. If p = 4t + 1, t h e n p + 2  4(t + 1)  1 and t and t + 1 have different parities. T h a t is why we call t h e m twins with different sexes. This discussion has also p r o v e d t h e following two p r o p e r t i e s of twins [100]. 5 . 6 . 3 (The Sex Principle of Twins) If the smaller of the twins has sex characteristic  1 , then the twins have the same sex; otherwise, they have different sexes.
Theorem
5.6. Twin Primes and Sequences over GF(2)
131
T h e o r e m 5.6.4 I / p and p + 2 have the same sex, then it is possible for them to have the common primitive root 2 (a common best partner); otherwise, they never have. We make such a classification for twin primes because of its cryptographic importance. Speaking specifically, twin primes with the same sex can be eprimes or oprimes, and in a pair of twin primes with different sexes there must be one which is an oprime. The importance of oprimes in binary sequence designing has already been made clear in Chapter 3. In later chapters we will see that twin primes are also of much value in designing good cryptographic functions, which are based on the famous twinprime difference sets, where a common primitive root is required. Thus, twin primes are cryptographically important from two viewpoints: the control of the linear and sphere complexity of binary sequences; and the designing of good cryptographic functions. If we consider the two aspects together in the design of binary stream cipher systems, we may find that the practically useful twin primes may be those with different sexes, and those (p, p + 2) = ( 4 t  1, 4t + 1) with same sex and with t odd. This will be shown in later chapters. What we have mentioned may be only partial cryptographic values of twin primes with respect to the design of binary sequences. To evaluate their values further, we should at least solve part of the following problems: R e s e a r c h P r o b l e m 5.6.5 Investigate whether there are large twin oprimes which have the common primitive root 2.
R e s e a r c h P r o b l e m 5.6.6 Investigate for which large twin primes with different sexes there must exist one of the twins which has primitive root 2. R e s e a r c h P r o b l e m 5.6.7 Find large twin primes (p,p+2) such that ordp(2) and ordp+2(2) both are large enough. 5.6.2
C r y p t o g r a p h i c Twins and t h e Sex D i s t r i b u t i o n
As mentioned above, we are cryptographically interested in twin primes with different sexes and twin oprimes. So it is cryptographically important to know the frequency of occurrence of twin primes with different sexes in the twinprime series. Let Ft denote the frequency of occurrence of twin primes with different sexes in all the twin primes (p,p + 2) such that p + 2 _ IWol. Similarly, we can prove that IWol >__ IW~l. It follows therefore IWol = Iw~l. On the other hand, if N is even, then l(x) = x mod 2 is a nontrivial linear function. Hence, we have proved the following theorem. T h e o r e m 6.5.1 There is a nontrivial affine function from (ZN, +) to (Z2, +)
if and only if N is even. And if l(x) is a nontrivial affine function, then I f  X ( 0 ) l  I f  X ( 1 ) l  N/2, where f  x ( / ) = { x : f ( x ) = i , x 6 ZN} for i =0,1. This theorem means it is of no interest to study the affine approximation problem for the functions from ZN to Z2 with respect to the additions of the two rings when N is odd. So we discuss only the affine approximation of the characteristic functions of difference sets in ZN with even N. Let f ( x ) be a function from ZN to Z2. From the definition of autocorrelation function it follows immediately that the following theorem is true. T h e o r e m 6.5.2 Let f ( x ) be a function from ZN to Z2, h(x) = f ( x ) + l ( x ) + u ,
where l(x) is linear and u is a constant. Then for each w ~ 0 ACh(w) = (1)l(w)ACf(w).
Chapter 6. Difference Sets and Cryptographic Functions
148
6.5.3 Suppose D is an (N,k,A) difference set of ZN, fD(X) is the characteristic function of D, l(x) is any nontrivial affine function from (ZN, +) to (Z2, +) and h(x) = fD(x) + l(x). Let H be the characteristic set of h(x), s = IHI and c = [N  4(k  )~)]/N. Then
Theorem
1. s 
IHI  IN + x / N  (1)t(~
/2 or [ N  x / N 
(1)t(~
/2;
2. dH(w) = s  N[1  (  1 ) t ( W ) c ) ] / 4 for each w ~ O; 1
3. P r ( f D ( x ) = l ( x ) ) = ~ +
41V(1) l(O)cN
2N
1 .4_ 41(1) '(O)c
= ~
2v/~
,
where Pr(fD(X) = l(x)) denotes the probability of agreement between fD(X) and l(x). Proof: that
It follows from Theorems 6.2.1 and 6.5.1 as well as Corollary 6.2.2
[N  4(s  dH(w))]/N  ACh(w)  (1)t(~)ACfD (w)  (1)t(~)c for each w ~ 0. This gives
dH(w)  s  [g(1  (1)t(W)c)]/4 for each w ~ 0. On the other hand, by employing the conservation law of the difference function
E dH(w) = s ( s  1) O:/:wEZ N we get further
s(s 1)
dH(w) s(N
E
1) N[N
1 E(1)t(W)c]/4.
w#O
wr
This fact together with Theorem 6.5.1 gives the following equation
s 2  g s + N [ N  1 + (1)t(~
= O.
The solutions of the equation prove the remaining parts of the theorem. Q Note t h a t for every difference set of ZN, the constant c satisfies  1 < c < 1. It follows t h a t for any nontrivial affine function h(x) and the characteristic function f ( x ) of any difference set of ZN , we have 1
1
2
x/~Y
1
1
< P r ( f ( x )  h(x)) < ~ + ~ . V21v
6.6. Almost Difference Sets
149
This rather surprising result means that any nontrivial affine approximation of the characteristic function of any difference set of ZN is quite bad. This lower bound for c can be further improved from the fact that k ( k  1) = ( N  1)A. Another important fact, which follows from the above theorem, is that if the constant c is approximately zero (i.e., k  A ~ N/4), then the set H also has good difference property. Difference sets with parameters of the form (4m, k, A) in a group were called Menon diJ~erence sets, Hadamard di~erence sets or Hsets. Our terminology is chosen to agree with Arasu [7]. A rather remarkable result about the parameters of Menon difference sets proved by Menon is that a Menon difference set has parameters of one of the forms (N, k, A, n)  (4m 2, 2m 2 ~= m, m 2 7= m, m2), where n is defined to be k  A. The characteristic functions of the Menon difference sets have the worst probability of agreement with all affine functions. Equivalently, they have the best nonlinearity with respect to the additions of Z4m2 and Z2. 6.6
Almost
Difference
Sets
The definition of almost difference sets was given in Section 6.1. We shall investigate almost difference sets and their importance in cryptography further in the following sections. Let us stipulate that the integer N in this section and Sections 6.7 and 6.8 is odd, so an almost difference set with N elements is possible. From the definition of (N,k,A) almost difference sets of ZN, it follows immediately that the condition
k ( k  1)  (2A + 1 ) ( N  1)/2 holds for all (N,k,A) almost difference sets of ZN. If N = 4 t  1, then ( g  1)/2  2 t  1 is odd, so (2A + 1 ) ( N  1)/2 must be odd. This proves the following result. T h e o r e m 6.6.1 Let N be an odd integer.
If ZN has an (N,k,A) almost di#erence set, then N must be o/ the /orm 4t + 1.
Now we search for cryptographically useful almost difference sets of ZN. It follows immediately from Proposition 4.3.3 that if N = 4t + 1 is a prime, then the quadratic residues modulo N form an (N, (N  1)/2, ( N  5)/4) almost difference set. Now a natural question is whether the biquadratic residues form an (N, t, (t  3)/4) almost difference set, if N = 4t + 1 is a prime. The following necessary condition is easy to see.
Chapter 6. Difference Sets and Cryptographic Functions
150
T h e o r e m 6.6.2 Let N  4t + 1. If the biquadratic residues modulo N f o r m (N, t, (t  3 ) / 4 ) atmo t diff r n et, th n t mu t of the Io+ 3 fOF s o m e ~.
Taking N = 13 as an example, we have the set of biquadratic residues D  {1, 3, 9}, so A  0 and calculation shows t h a t we have an almost difference set. Another positive example is the case N  29. A negative example is the case N  61. For this example we have t  15 and D  {1, 16, 12,9,22, 47,20, 1 5 ,  4 ,  3 ,  4 8 ,  3 6 ,  2 7 ,  5 ,  1 9 } . This example shows that the biquadratic residues modulo N may not form an almost difference set, if N  4t + 1 with t being a prime of the form 4u + 3. However, we have the following general conclusion:
T h e o r e m 6.6.3 Let N = 4t + l be a prime with t  3 ( m o d 4 ) , and let D be the set of biquadratic residues modulo N . Then the equation axy,
(x,y) E D •
x~y
has u solutions for half of the nonzero elements a of ZN, and v solutions for the other half, where u > O, v > 0 and u + v  t(t  1)/2.
Proof: Let a be a primitive root modulo N and D  (~4) the multiplicative subgroup of Z~v. Then D is the set of biquadratic residues modulo N. Let D  = {d i  d j
" (di,dj) e D • D , i ~ j }.
By assumptions we have  1  ~2t _ ~8s2 for some s. This gives c~2D   D and c~3D = (~D. Hence, we get ID N~2D I  I D 
N D I u,
ID n ~aD I  I D 
n aD[
v.
Furthermore, we have
t(t1)

ID[
=
[D n n[ + [D n a n [ + [D N a2n[ + I n  N a3D[
=
2u + 2v.
Thus, the theorem follows. [::] As already mentioned above, the set of biquadratic residues D is a multiplicative subgroup of the group (Z~, .). This property makes the sets of biquadratic residues cryptographically attractive if they have good difference property, because the multiplicative group structure can lead to an easy realization of their characteristic functions. The following theorem gives necessary and sufficient conditions which ensure the almost difference property of the biquadratic residues.
5.5. Almost Difference Sets
151
T h e o r e m 6 . 6 . 4 [105, 111] Let a prime N = 4t + 1 = x 2 + 4y 2 with x  1 (mod 4) and t being odd. Then the biquadratic residues modulo N f o r m an (N, t, ( t  3)/4) almost difference set if and only if x = 5 or  3 . P r o o f : We consider the binary cyclotomic n u m b e r s of order 4 (see C h a p t e r 4 for the definition and meaning of cyclotomic numbers). Let N  4t + 1 be a chosen prime. Then N can be expressed as N  x 2 + 4 y 2, x  1 (mod 4), here y is twovalued, depending on the choice of the primitive root [85]. There are five possible different cyclotomic numbers if t is even; i.e., (0,0), ( 1 , 3 ) = ( 2 , 3 ) = ( 1 , 2 ) , (1,1)=(0,3), (2,2)=(0,2), ( 3 , 3 ) = ( 0 , 1 ) a n d (0, 0) = ( N

11 
6
)/16,
(0, 1) = ( N  3 + 2x + 8y)/16, (0, 2) = ( N (0, 3) = ( N  3 + 2x  8y)/16, (1, 2) = ( N
+ I 
2
)/16.
For the case of t odd, there are at most five distinct cyclotomic n u m b e r s , which are (0, 0) = (2,2)  (2, 0)  ( N  7 + 2x)/16,
(0, 1)  (1, 3 ) 
(3,2)
(N + 1 + 2 x  8 y ) / 1 6 ,
(1, 2)  (0, 3)  (3, 1)  ( N + 1 + 2x + 8 y ) / 1 6 , (0,2)  (N + 1  6 x ) / 1 6 , the rest  ( N  3  2 x ) / 1 6 . It follows from these cyclotomic formulae t h a t 2x 7 16
3 + 2x 4x 4 x 1 = = +1 16 16 4
if and only if x  5 or  3 . This completes the proof. [3 Let N  8 t + l . It is possible for the set o f o c t i c residues Do  (a s ) to form an almost difference set of ZN, where a is a primitive root of N . Since ID01  t, a necessary condition for Do to be an almost difference set is t ( t  1)  (2A + 1 ) ( N  1)/2. It follows t h a t t  8A + 5 and therefore N  8t + 1  64A + 41  16(4A + 2) + 9. Under these necessary conditions the cyclotomic numbers of order 8 are given in two sets of formulae according to w h e t h e r 2 is a quartic residue or not, in terms of N, x, y, a and b which are determined by gx
2+4y 2a
2 + 2 b 2,
(xa1
(mod4)).
(6.1)
Chapter 6. Difference Sets and Cryptographic Functions
152
The relations among the cyclotomic constants are given in Table 4.3 and the cyclotomic numbers are described by Table B.8. The eight cyclotomic numbers we need are the following: (1, 1) = (3, 3) = (5, 5) = (7, 7) = ( g  7 + 2x + 4a)/64, (2,2) = (6, 6) = ( N 
7  2 x  8a)/64,
(0, 0)  (4, 4) = ( N 
1 5  2x)/64.
By definitions of almost difference sets and cyclotomic numbers, Do is an almost difference set if and only if (2, 2) = (6, 6) = (0, 0) = (4, 4) and (1, 1) = (0, 0) • 1. Obviously, (0, 0) = (2, 2) if and only if a = 1. Under the condition a = 1, (1, 1) = (0, 0) • 1 if and only if x =  1 9 or 13. Since both of  1 9 and 13 are congruent to 1 modulo 4, they are solutions. Thus, we have proved the following: T h e o r e m 6.6.5 positive integer. of octic residues the simultaneous
[105, 111] Let N = 8t + 1 and t = 8A + 5, where A is a A s s u m e that 2 is a quartic residue modulo N . Then the set Do forms an almost difference set if and only if N admits representations N = 192 + 4y 2 = 1 + 2b 2
Or
N=132+4y
2=1+2b
2.
For the case that 2 is not a quartic residue we have the following result. T h e o r e m 6.6.6 [105, 111] Let N = 8t + 1 and t = 8~ + 5, where )~ is a positive integer such that 2 is not a quartic residue. Then the set of octic residues Do forms an almost difference set if and only if N = 41. P r o o f : The proof is similar to that of the foregoing theorem. We still assume the partition of (6.1). By Tables 4.3 and B.8 the eight cyclotomic numbers we need are the following:
(0, 0 ) = (4, 4 ) = ( g 
1 5  1 0 x  8a)/64,
(1, 1) = (5, 5) = (N  7 + 2x + 4a  16y)/64, (2, 2) = (6, 6) = (N  7 + 6x)/64 (3, 3) = (7, 7) = (N  7 + 2x + 4a + 16y)/64. Since the equations (1, 1)  (3, 3) and (0, 0) = (2, 2) have no solution, there are only two sets of conditions in which the set Do can form an almost difference set. They are given by (1, 1 ) = (0, 0), ( 2 , 2 ) = (3, 3), (1, 1) = (2,2)=t= 1
6.7. Almost Difference Sets and Autocorrelation Functions
153
and (1, 1) = (2, 2), (0, 0) = (3, 3), (1, 1) = (0, 0)4 1. Solving the two sets of equations gives only the solutions (x, y, a) = (5, 2 ,  3 ) and (x, y, a)  ( 5 ,  2 ,  3 ) respectively. Thus, we get only the prime 41. It is easily checked that 2 is indeed not a quartic residue modulo 41. This proves the theorem. D Thus we have found all the primes of the form 8t + 1 such that the set of octic residues forms an almost difference set.
6.7
A l m o s t Difference Sets and A u t o c o r r e l a t i o n Functions
The characteristic function of a subset of ZN and the autocorrelation function of a function from ZN to Z2 were defined in Section 6.2. It was proved in Section 6.2 that the difference sets of ZN can be characterized by the autocorrelation function of their characteristic functions. Let D be an (N, k, A) almost difference set of ZN, fD its characteristic function and s~' its periodic characteristic sequence. Similarly, we have the following result. T h e o r e m 6.7.1 Let D be an (N, k, )~) almost difference set of ZN. Then
A C s , (w)
= =
ACs~ (w) 1, w  0 ; 1 4(k s ]or hall of nonzero elements of Z~; 1  4 ( k  A  1)IN; for the other half.
P r o o f : It follows from the definition of autocorrelation function that
N . AC$, (w)  Y . A C s , ( w )

(E x6D
=
+ E
)(1)I(~)+$(x+~)
xED*
I(w+n)
nn I](w+n)
nD*]
+ l (  w + n * ) n n*]  I (  w + n * ) n n], where D*  ZN \ D. Denoting I(w + D) N DI = d(w) for w ~ 0, we obtain
I(w + D) O n*l  k  d ( w ) , ] (  w + D*) n D]  k  d(w), ] (  w + P*) n D* I  N  2k + d(w). On the other hand, we have I(w + S) n S]  ] (  w + S) n S I for any subset of ZN. Combining the above results gives
A C I , (w) = AC~, (w) = [N  4(k  d(w))]/N.
Chapter 6. Difference Sets and Cryptographic Functions
154
Since d(w) = A for half of the elements of Z~v and d(w) = A + 1 for the other half, the conclusions of the theorem are true. D This theorem shows that there is little difference between the autocorrelation property of the characteristic functions of difference sets and that of almost difference sets. It shows also that the difference property of the characteristic sequences of almost difference sets is almost the same as that of difference sets. These facts indicate to some extent the cryptographic significance of the almost difference sets.
6.8
Almost Difference Sets, Nonlinearity and Approximation
In Section 6.3 it was proved that the characteristic functions of some difference sets are good cryptographic functions with the best nonlinearity with respect to the additions of ZN and Z2. For the characteristic function of some almost difference sets, we have similar results. T h e o r e m 6.8.1 Let D be an (N,k,A) almost difference set o] ZN, and let f(x) be the characteristic ]unction of D. Then
N2(kA)
Ps (~, ~)
for half of the nonzero ~ 's; }
N_2/~_A~I) , for the other half. N


2(k=A).
2(kNA21) . N
~ 0;
for half of the nonzero ~ 's; } .for the other hall. ~  1,
where py(c~,/~) = P r ( f ( x )  f(y) = ~lx  y = ~). P r o o f : It is left as an exercise. D This theorem shows that the characteristic functions of the almost difference sets with parameters (N, k, A) have good nonlinearity with respect to the additions of ZN and Z2, provided that I N ~ 4  k + AI is small enough. Since there are only almost difference sets in ZN if N is odd, and there are only trivial affine functions from ZN to Z2 for odd N by Theorem 6.5.1, there are no affine approximation problems for the characteristic functions of almost difference sets with respect to the additions of the two rings ZN and
z2.
6.9
Summary
In this chapter we have seen that there is a onetoone correspondence among the subsets of ZN, binary sequences of period (not necessarily the least period)
6.9.
Summary
155
N, and functions from ZN to Z2, as depicted by Figure 6.1. Thus, binary sequences of period N and their properties can be characterized with subsets of ZN and their properties, or with functions from ZN to Z2 and their properties. It is clear that studies of the three subjects are equivalent. Further relations among them can certainly be described.
Subsets of ZN
Properties of subsets of ZN
I
I
Binary sequences of period N
Properties of binary sequences of period N
i
I
Functions from ZN to Z2
Properties of functions from ZN to Z2
Figure 6.1: The equivalence relation.
This Page Intentionally Left Blank
Chapter 7 Difference Sets and Sequences
As we saw in Sections 6.2, 6.7, and 2.4, the autocorrelation property of a binary periodic sequence is closely related to the difference property of its characteristic set with respect to the addition of ZN, where N is a period of the sequence. Generally speaking, the better the difference property of its characteristic set, the smaller max0r IACs(w)I will be. In particular, for residue difference sets the autocorrelation functions of their characteristic sequences (briefly, DSC sequences) are 2valued. For almost difference sets of ZN'S the autocorrelation functions of their characteristic sequences (briefly, ADSC sequences) are 3valued. Furthermore, the characteristic sequences of difference sets and almost difference sets with parameters (N,k,)~) having k  )~ ~ N/4 have good autocorrelation property. The autocorrelation property of sequences is cryptographically important for at least one reason: the control of the transformation density of some stream ciphers [98]. In addition, the autocorrelation property determines the twodigit pattern distributions of binary sequences. Due to the cryptographic significance of DSC sequences and ADSC sequences this chapter mainly introduces the differential analysis of those sequences and presents some results about their linear complexity. The NSG realization of sequences is also presented to show the significance of the differential analysis of sequences. 7.1
The
NSG
Realization
of Sequences
There are many ways to generate sequences, as shown by the many kinds of proposed generators. In spite of the flexibility of generating binary sequences, every binary sequence generator is equivalent to a natural sequence generator (NSG) described in Chapter 2. We say two generators are equivalent if, given any output sequence of one of the generators, the other generator can produce 157
158
Chapter 7. Difference Sets and Sequences
the same output sequence when the parameters of the generator are properly chosen. In this section we search for those NSGs which can produce some given sequences and for the equivalent NSGs of some known generators. To this end, we need the trace representation of sequences. It is well known that every periodic sequence in K  G F ( q ) has a trace representation described by the following two propositions [222, pp. 406 and 467]. be a periodic sequence in K  G F ( q ) whose charP r o p o s i t i o n 7.1.1 Let s ~176 acteristic polynomial f (x) of degree k is irreducible over K . Let ~ be a root of f ( x ) in the extension field F  G F ( q k ) . Then there exists a uniquely determined ~ E F such that
8n  TrF/K(OOLn), n ~_ O, where T r F / K ( X ) i8 the trace function. The characteristic polynomial of a sequence refers to a zero polynomial of the sequence, which is a multiple of the monic minimal polynomial of the sequence. Proposition 7.1.1 gives a trace representation only for periodic sequences whose characteristic polynomials are irreducible over K. Generally we have the following conclusion [222, p. 467]. P r o p o s i t i o n 7.1.2 Let s ~176 be a periodic sequence in K = G F ( q ) with characteristic polynomial f ( x ) = f l ( X ) . . , f r ( x ) , where the f~(x) are distinct irreducible polynomials over K . For i = 1 , .   , r , let ~i be a root of f i ( x ) in its splitting field Fi over K . Then there exist uniquely determined elements ~1 E F 1 ,  . . , 0 r E Fr such that s~  TrF~lg(Ola'~) + ' ' " + TrF~lg(O, aT), n >_ O.
Now we describe an NSG realization of periodic sequences in the finite field K = G F ( q ) . Let s ~176 be the sequence described in Proposition 7.1.1; then one of its NSG realizations is depicted by Figure 7.1. For the sequence s ~176 of Proposition 7.1.2 we have an NSG realization in Figure 7.2. The NSG realization of the maximumlength sequences is easy given the above two propositions. If one has a characteristic polynomial of a sequence, it is possible to give an NSG realization of the sequence. However the computational complexity could be very large, depending on the sequence. Finding the minimal polynomial of a periodic sequence could be easy as we have the efficient BerlekampMassey algorithm. But factoring a polynomial and finding the parameters Oi and ai of Proposition 7.1.2 could be hard. We also note that the NSG realization of a sequence is not unique.
7.2. Differential Analysis of Sequences
159
I key Ncyclic counter.,
I
Figure 7.1 The NSG realization of some sequences.
7.2
Differential
Analysis
of Sequences
For any sequence generator (SG), suppose that its output sequence s ~176 over a finite group (G, +) has period N. Let
Cs(g)={i" sig,
0~_i~_N1},
gEG
and f8 be the characteristic function of the partition {Cs(g) " g E G}. The analysis of the difference parameters
ds(i,j;w) [C~(i)M (C~(j)  w)[, (i,j;w) E G x G x ZN, is called the differential analysis of the sequence. The conservation laws between the difference parameters are given in Section 4.2.1. The differential analysis of sequences could be finer than the autocorrelation analysis. However, for binary sequences they are equivalent. The relationship between the autocorrelation property of sequences and the above difference parameters has already been made clear in Sections 2.4, 6.2 and 6.7. It is clear that the differential analysis is in fact the twocharacter pattern distribution analysis, since the difference parameters ds(i,j; w) represent the number of appearances of one twocharacter pattern in a period of the sequence. Let ~ be a group character of (G, +). By definition the periodic autocorrelation function of a sequence s cr of period N over G is given by N1
ACs(I)

~
~(sisi+~)
i=0
=
E vEG
I{0 ~ i ~ N 
l i s i  s i + l  v}i~(v)
Chapter 7. Difference Sets and Sequences
160
key Ncyclic counter
I i
1
TrF1/K (/71al)
u
i
+
i~
Figure 7.2: The NSG realization of some general sequences.
=
Z Z IC~(~)n [c~(~  v) ~]l~(,) vEG uEG
=
~
E
e~(u, u  v; ~)~(v).
vEG uEG
Thus, if the difference parameter ds(i,j; w) is a constant for all (i, j) E G x G, the autocorrelation value ACs(/)  0 if 1 ~ 0. Generally, the flatter the difference parameters, the smaller the autocorrelation values [ACs(/)[ for 1 ~ 0. But the converse may not be true when IG I >_ 3. In summary, the differential analysis gives the autocorrelation analysis and twocharacter pattern analysis. Note that every periodic sequence has an NSG realization and many generators have an equivalent NSG. Thus, if an equivalent NSG of a keystream generator can be constructed, the differential analysis of the NSG is necessary due to the differential attack described in [98]. If we cannot ensure that an equivalent NSG of the keystream generator cannot be constructed, then we should carry out the differential analysis of the keystream. Otherwise, a bad difference property of the keystream sequence could lead to the determination of some parameters of the NSG with which the NSG could produce the same keystream sequence.
7.3. Linear Complexity of DSC (ADSC) Sequences 7.3
Linear
Complexity
of DSC
(ADSC)
161 Sequences
It is known that for any binary maximumlength sequence s ~176 of period 2 m  1, its characteristic set is a (2 m  1, 2 m1 , 2 m2) difference set (for example, see [336], p. 314). On the other hand, the msequences satisfy also Golomb's three postulates. But these sequences have only linear complexity m, which is very small compared with the period 2 m  1. However, there are some DSC sequences with large linear complexity. In fact there do exist DSC sequences having maximum linear complexity, as described by the following proposition [98] P r o p o s i t i o n 7.3.1 Let D be an (N, k, A)difference set of Z N and s ~176 be its periodic characteristic sequence. Then 1. if k is even and A odd, then L(s ~ )  N 
1;
2. if k is odd and A even, then L(s ~176 N ; 3. if k and A both are even, then
gcd(s/v (x1)x/v, x/v1) ] L(s ~176= deg gcd(gcd(sN(x) ' x/vi), gcd(sN(x1)xN, X/Vl)) ; 4. if k and A both are odd, then
L(s ~176 d e g
gcd(sN(x1)x N , x/v1)(x ] gcd(gcd(sN(x) ' xN_I), gcd(slV(x_l~:~ ' x/V_l) ) ,
where s N (x)  so + s 1x  ~ ' ' " "~ 8N_ 1x N  1.
P r o o f : It is wellknown [97], [222, pp. 418423], that the minimal polynomial of a sequence of period N over G F ( q ) can be expressed as XNf s(x)


1
g c d ( s g ( x ) , x g  1)"
Since the characteristic sequences are binary, our arithmetic is now on G F ( 2 ) . Let D be the characteristic set of s ~176Since D is a difference set

k ~x i,j

(n mod 2) + (A mod 2)(1 + x + . . . + x N  I )
where n 
diaj
k  A.
(modx Nl) ( m o d x N  1),
162
Chapter 7. Difference Sets and Sequences
If k is even and A is odd, then n is odd, and sN(x)sN(xX)X
N
 1 + ( 1 + X + ' ' '
+ X Nl)
(mod X N  1).
By the differenceset property k ( k  1) = ( N  1)A. Thus N must be odd. It follows further from the assumptions of the proposition that (x + 1) but not (x + 1) 2 divides s g ( x ) . Hence gcd(sN(x),x
N 
1) = x 
1, ]'s(x) = ( x N  1 ) / ( x  1).
Thus the linear complexity of the sequence is N  1. This proves part one. If k is odd and A even, then 8 N ( x ) 8 N ( x  1 ) x N  1
(mod x N  1).
It follows that g c d ( s N ( x ) , x N  1) = 1, and L(s ~ ) = N. This proves part two. If k and A both are even, then 8N(x)sN(x1)X
N 0
(mod x N
1)
and therefore gcd(sN(x),x
N 
whence g c d ( s N ( x ) , x (X N 
1 ) g c d ( s N ( x  1 ) x N , x N  1) _0 (mod x N  1). N 
1) is equal to
1)gcd(gcd(sN,x N 
1),gcd(sN(x1)xN,x
gcd(sN(x1)xN,
x N
N
1))
1)
This proves part three. The remaining part four can be proved similarly. [::1 Set n  k  A. The linear complexity of the DSC sequences is optimal for those with parameter n odd. This also shows the cryptographic importance of the parameter n. For those DSC sequences with parameter n even, the linear complexity seems hard to control. As an example, we consider the binary maximumlength sequences. Their characteristic sets form (2 "~  1, 2 m  l , 2 "*2) difference sets. For those difference sets we have n  k  A = 2 m2 which is even. When n is even, the formulae for the linear complexity in Proposition 7.3.1 are not practical in general. But in some special cases they might be reduced into practical ones. Planar difference sets are those with parameters (N, k, A) having A = 1. If we can find planar difference sets with k even, then we get sequences with maximum linear complexity. However, since k ~ v/N, those sequences are fairly unbalanced. If the prime p ~ 2, the periodic characteristic sequences of those (p2j + p / + 1, pJ + 1, 1) difference sets have linear complexity N  1
7.3. Linear Complexity of DSC (ADSC) Sequences
163
and they are also fairly unbalanced. Another family of difference sets is the Singer difference sets with parameters qm+l _ 1
N
q1
qm_
'
k=
q1
1
qm1
'
A
_ 1
q1
'
which exist whenever q is a prime power and m _> 2 [337], [14, pp.99104], [336, pp.313314]. Since k  z~ 
qm1
)~  1 + q + ' "
+ qm2
the linear complexity of the periodic characteristic sequences of these difference sets is N  1 if q is not a power of 2. However, unfortunatly we have N / k ~ q. This kind of unbalance may restrict the cryptographic application of these sequences. A difference set which is composed of all the ruth powers modulo some prime N, or of the ruth powers and zero, is called an ruth power residue difference set. Probably the cryptographically most important periodic characteristic sequences of difference sets are those of the quadratic residue difference sets. Let D be an (N, k, A) difference set of Z N (see Proposition 4.3.3). The polynomial H ( x )  x d~ + x d~ + . . . + x d~
over the ring Z N is called the Hall polynomial of the difference set, the generating polynomial of the difference set or the difference set polynomial . In terms of this polynomial the difference set property is k
g(x)H(x1)
 E
xdidJ ~~ n + A(1 + x + . . . + x N  l )
(mod x N  1),
i, j
where n  k  A. Let s ~176 be the periodic characteristic sequence of the (N, k, A) difference set D, then 8N(x)

80 "Jr"81X nL ' ' "
~" 8 N _ l x N  1
:
X dl ~X d2 .~ . . .  ~  X d~,
where "+" denotes the modulo 2 addition. Thus, if we consider the Hallpolynomial over GF(2), then we have s g ( x ) = H ( x ) . It is by employing the formula
k
=
~x i,j
d'djn+A(l+x+...+x
Nl)
(modx Nl)
Chapter 7. Difference Sets and Sequences
164
that the above general conclusions about the linear complexity of DSC sequences have been proved. However, with almost difference sets we do not have such a nice fact to employ. So it seems not easy to control the linear complexity by controlling the parity of n. However, we can control the linear complexity of ADSC sequences by employing the results of Chapter 3. It should be mentioned here that there are ADSC sequences which have optimal linear complexity. Examples are the characteristic sequences of quadratic residues modulo primes of the form 4t + 1 (see Proposition 4.3.3). Research Problem quences. 7.4
Barker
7.3.2 Analyze the linear complexity of the A D S C se
Sequences
In some communication systems the value maxl<j_ 2 =
~
e~'
lED'1 
iE2D~
iED~ =
St (01) +
1. [3
Hence, S' (01) r {0, 1}. Lemma
8.4.8
2+a~mod 2, s'(el) + 1, s(e~

s'(el), s(e),
if aO; iraalp, alED0, 1_3 O < k l < . . . < k t < v   1 t
odd

t
~ t
(Z)~Jl(ikjF1)r
t>_4 O [log 2 NJ. To determine the present key i with the above method, she has to use an algorithm to compute f(i)  (x (N1)/2 mod N for arbitrary i E ZN. Assume that the cryptanalyst uses the fast exponentiation algorithm to determine each Ds0...8. for each v with 0 _< v _< [log 2 NJ. If we take each integer multiplication, each integer addition, each modulo2 and each moduloN as one unit of computation, then the number of operations needed to determine the key i is at least M1
2M E
N/2i
(from the part of exponentiation mod 2)
i0 M1
+ 2 E N/2'
(from the part of of the counter)
i=0 M1
+
EN/2'
(from the part of y mod 2)
i0
1
=
2 N ( M + 3)(1  ~g)
=
O(NM),
where M is given above. If N is large enough, it is clearly impossible to determine the key computationally. Generally, let UA(N) be the minimal number of operations to compute f(i) for each i E ZN by an algorithm A. Then we can similarly prove that the
9.5. Sums of DSC Sequences
219
minimal number of operations for this kind of keydetermining attack based on the algorithm A is at least 2UA ( N ) E
N/2i  4NUA (N)
(1) 1 ~
.
i=0
Since for any algorithm A we have U A ( N ) k 1, we see that for any such a keydetermining attack, the minimum number of operations needed is at least 1
If N is chosen to be large enough, for example, say about 2 l~176any attack of this kind is computationally infeasible at the present time. On the other hand, it seems that the storage space needed is at least O ( N / 2 ) with this procedure. This may also be infeasible for large N. Computational complexity is one source of deterministic randomness, and some of its cryptographic uses may be found in [355, 354, 395, 396, 205, 132, 242]. 9.5
Sums
of DSC
Sequences
Since DSC (differenceset characterized) sequences are cryptographically attractive in many aspects, we analyze the bitwiseXOR of two DSC sequences. For ADSC sequences the analysis is almost the same. Let N1  4tl  1 and N2 = 4 t 2  1 be two distinct large primes with tl and t2 odd, and let z~~ and z~~ be the corresponding DSC sequences of Section 8.1. 9.5.1
Linear Complexity Analysis
The generating functions of the two sequences can be written as
zTO _ ZlN, (~) / (~N, + 1), z7 ~  z ~ ( ~ ) l ( ~
N~. + 1).
Hence z gl ( x ) ( x N2 + 1 ) + z g 2 ( x ) ( x g ' + 1) z~176 
(Zl + z ~ ) ~ 1 7 6 
(~N1 + 1)(~N~ + 1)
"
Since both N1 and N2 are primes and N1 # N2, gcd(x g~ + 1, x N2 + 1) = x + 1. On the other hand, it follows from L ( z ~ )  N1 and L(z~~  N2 that gcd(zg~ (x), x N' + 1 )  gcd(z2N2(x), x N2 + 1 ) = 1.
220
Chapter 9. Analysis of Cyclotomic Generators of Order 2
This ensures that gcd((x gl + 1)(x N2 + 1), z g ~ ( x ) ( x N2 + 1 ) + z N = ( x ) ( x g~ + 1))  1. Thus, the minimal polynomial of the sequence zoo is (x N1 + 1)(x N2 + 1), and therefore L(z~ ~ + z~~  N1 + N2.
9.5.2
Balance Analysis
It is easily seen that Pr(zli
0)
(N1 + 1)/2N1,
Pr(zli
1)  ( N 1  1)/2N1,
Pr(z2i 0)
(N2 + 1)/2N2,
P r ( z 2 i  1)  (N2  1)/2N2.
Since Zli and Z2i are statistically independent, we have Pr(zi
1)

Pr(Zli + z2i  1)
=
Pr(zli  0, z2i  1) + Pr(zli  1, z2i  0) N1 + 1N2  1 + N1  1N2 + 1 2N1 2N2 2N1 2N2
=
NIN2  1
2NIN2 This means t h a t the sequence zoo is almost balanced, with almost the same balance property as the sequences z~~ and z~~
9.5.3
Correlation Analysis
It is easily verified that Pr(zi
zxi)  P r ( z 2 i  0)  (N2 + 1)/2N2,
Pr(zi
z2i)
Pr(zli
0)  ( N 1 + 1)/2N1.
This means that any correlation attack by making use of the correlation between zi and Zli, as well as zi and z2i is impossible.
9.5.4
Differential Analysis
The equivalence between the autocorrelation and the differential analysis of binary sequences has been proved in Section 2.4. For the correlation property of the sequence z ~ , we have the following result.
9.5. Sums of DSC Sequences T h e o r e m 9.5.1 valued, i. e. ,
221
The autocorrelation function of the sequence z ~176is four
1, j  0 ; N12 '
ACz(j)
N1N2'
j = kN1, k 7/= 0;
gcd(j, NIN2)  1.
P r o o f : If j  kN1, k ~ 0, then N1N21
AC,(j)
=
~
(  1 ) "2''+'2''+j/WIN2
i=0
=
ACz2 (j mod N2) =  l/N2.
Similarly, we can prove AC~(j) =  1 / N ~ ,
for j  kN2, k # O.
If gcd(j, N1N2) = 1, then by definition we have ACz(j)

[2[{Zl,i + Zl,i+y  0} n {z2,i + z2,i+j = 0}[
=
2 Pr(zl,i + zl,i+j  O) Pr(z2,i + z2,i+j  0)
 [ ' 2 1 { Z l , i ~
Zl,iTj   1} gl {z2,i + z2,i+j  1 } 1  N 1 N 2 ] / N I N 2
+2 Pr(zl,i + Zl,i+j = 1)Pr(z~,i + z 2 , i + / = 1)  1 =
( A C z l ( j mod N1) + 1)(ACz2(j mod N~) + 1)/2
+(1  ACz, (j mod N1))(1  ACz2(j mod N2))/2  1 =
1~giN2.
This completes the proof. [:3 Now we calculate the difference parameters d z ( g , g ' ; j ) defined in Section 4.2. Let D be the characteristic set of z ~ , then ID[ = (N1N2  1)/2. On the other hand, we have I(D + j) fl D I + ](D + j) O D* I = (N~N2  1)/2, [(D* + j) n D* I + I(D* + j) N D I  (N1N~ + 1)/2, I(D + j) N D I + ](D* + j) fl D 1 = (N1N2  1)/2,
where D*  ZN \ D. Consequently, we obtain ACz(j)
=
[I(D+j) ND I+l(D*+j)
nD* I
 ] ( D + j) n D* I  I ( D * + j) g) D]]/N1N2
=
[41(9 + j) V) D I + 2  NIN2]/N~N2,
Chapter 9. Analysis of Cyclotomic Generators of Order 2
222 whence for j ~t 0, I(D+j) ND[
(N~N2N12)/4, j  kN1, k ~ O; { (NIN2  N2  2)/4, j = kN2, k 7t 0; ( N I N 2  1)/4, gad(j; NIN2) = 1
and [(D + j) N D*[ 
(NIN2+N1)/4, jkN1, kTtO; (N1N:~+ N2)/4, j  kN2, k 7t 0; ( N I N 2  1)/4, gad(j; N 1 N 2 )  1.
These results show that D is not a difference set of ZNIN2 , but has a relatively good difference property. Speaking specifically, for all j E ZN with gad(j, N1N2) = 1, the equations j = dl  d 2 ,
dl, d2 E D
have the same number of solutions. Only for those j's with j mod N1  0 and j mod N~ = 0, the above equation has a different number of solutions. It is necessary to choose two primes N1 and N2 such that [N1  N2[ is small, in order to get a better sum sequence concerning the autocorrelation and difference property.
Chapter 10 Nonbinary Cyclotomic Generators
In the foregoing chapter we constructed a number of binary generators. In some applications nonbinary sequences may be needed. In this chapter we describe the rthorder cyclotomic generator and analyze its properties. In Section 10.5 we summarize some cryptographic ideas behind binary and nonbinary cyclotomic generators. Sections 10.1, 10.2, 10.3 and 10.4 are based on Ding and Helleseth [109]. 10.1
The
rthOrder
Cyclotomic
Generator
Let p  rt + 1 where r and p are both primes. Let f~ be a generator of the multiplicative group of G F ( p ) (i.e. ~ has order p  1). The cyclotomic classes of order r give a partition of GF(p)* = G F ( p ) \ {0} defined by Do  (/~),
D13Do,
99", D ,  1
_ ~rlDo,
where Do is the multiplicative subgroup generated by fir. The rthorder cyclotomic generator is defined by s(k)i =
j, 0,
if[i+kmodp]EDj, if i + k mod p  0,
j0,1,...,r1;
for each i > 0, where 0 < k < p  1 is the initial state of the generator. Thus, s(k) ~176 is a semiinfinite sequence of period p over G F ( r ) , and is a shift of We call s(0) ~176 the cyclotomic sequence of order r over G F ( r ) with respect to the prime p, and denote it by s ~176Thus, s ~176 is a semiinfinite sequence of period p over G F ( r ) . The distribution of elements of G F ( r ) over a cycle of s ~176 is the best possible, i.e., 0 appears t + 1 times, and each other element t times. When r  2 a cyclotomic sequence of order 2 is simply a Legendre sequence. 223
Chapter 10. NonbinaryCyclotomic Generators
224
For small r, the rthorder cyclotomic generator can be implemented easily 9 As an example, we consider the ternary cyclotomic generator. Let p = 3t + 1 be a prime. To implement the ternary generator, we need the cryptographic function F ( x ) defined in Section 4.3. In Section 4.3.2 it was proved that the F ( x ) can be expressed as
F ( x )  a(x t mod p) mod 3, with a(x)  (2t + 1)[3 + ( u  1 ) x  (u + 2)x 2] mod p. With this function the ternary cyclotomic generator based on cyclotomic numbers of order 3 is described by
s(k)i  (a(i + k) t mod p) mod 3,
i>0,
(10.1)
where 0 _< k _ 3. Then
Theorem
L
1,
ifrq[Do; if r e Do
~r__l)(p1) r
~
~
Since (S(O)) r  S(Or), it follows from L e m m a 10.2.1 t h a t S(O) E GF(r) if and only if r E Do. Observe t h a t by definition S(1)  ( p  1 ) ( r 1)/2  rt(r  1)/2, and therefore S(1)  0 for r _ 3 since r  1 is even. T h e
Proof:
proof is divided into two cases depending on w h e t h e r r E Do or r r Do. C a s e 1" (r r Do). In this case S(O) r GF(r) and L e m m a 10.2.1 implies t h a t S(8 d) ~ 0 for all d E GF(r)*. Therefore, for r _ 3, gcd(x p

1, S(x))

x 
1.
Chapter 10. NonbinaryCyclotomic Generators
226
This proves the first part of the theorem. C a s e 2" (r E Do). In this case we have S(O) E GF(r) and L e m m a 10.2.1 implies t h a t S(O d)  0 for d in exactly one cyclotomic class. Hence, deg(gcd(x p
1, S(x)))


p  1
+ 1 .
r
This proves the second part of the theorem. Q We now compute the minimal polynomial of the rthorder cyclotomic sequence over GF(r). In the case t h a t r E Do, let 
i0,1,...,r

1.
uEDi
Since ( d i ( x ) ) r  di(xr), the coefficients of the polynomials di(x) belong to G F ( r ) . Obviously, we have r1
xpl(x1)
Hdi(x). i=0
The polynomials di(x) depend on the choice of the primitive root O. However, this only results in a permutation of the subscripts i of the di(x). Since S(O d) takes on all elements of GF(r) when d ranges over Do, D1, 9, D r  x , we can fix our 0 above such that S(O) = O. From the proof of Theorem 10.2.2 we obtain the following result due to Ding and Helleseth [109]. 10.2.3 Let m(x) be the minimal polynomial of a cyclotomic sequence of order r >_ 3. Then
Theorem
xn1 
9"1 (x1)do(x)
10.3
'
when r ~ Do; when r E Do
Autocorrelation Property
L e m m a 1 0 . 3 . 1 Let ah(T)   I { J h  0, 1 , . . . , r  1, then
" Sj+rSj
 h, 0 k t  1 > "'" > k l ,
then for X  ~_, xiai, we have t
X d
n 2ki

II
i=1 l=1 ~
l 1, but p doesn't divide d, so dividing a and b by d, we may assume t h a t piN, N < p2/2, and N = a 2 + b2 where gcd(a, b) = 1. T h e n all prime divisors q ~ p of N are less t h a n p. If q were a sum of two squares, then L e m m a 12.2.3 would show N/q would be a multiple of p, which is also a sum of two squares. If all such q's were sums of two squares, then repeatedly applying L e m m a 12.2.3 would imply t h a t p itself was of the same form. So if p is not a sum of two squares, there m u s t be a smaller prime q with the same property. R e p e a t i n g this process indefinitely, we get an infinite decreasing sequence of prime numbers. This c o n t r a d i c t i o n completes the Descent Step. This is a classical descent argument, and as Weil [381, pp. 6869] argues, it is p r o b a b l y similar to what Fermat did. T h e r e is also a n o t h e r a p p r o a c h to the Descent Step which is based on the reduction theory of positive definite q u a d r a t i c forms. T h e Reciprocity Step is simple. Since p  1 (mod 4), we can write p = 4k + 1. T h e n F e r m a t ' s Little T h e o r e m implies t h a t
(x 2k

1)(x 2k + 1)
=
x 4k


1 0
(mod p)
for a l l x ~ 0 (modp). Ifx 2k1~0 ( m o d p ) for s o m e x , t h e n p l x 2 k + l , so t h a t p divides a sum of relatively prime squares, as desired. It is easy to see t h a t the required x exists, since x 2k  1 is a polynomial over the field Zp and hence has at most 2k < p  1 roots. Euler's first proof t h a t x exists was quite different, for it used the calculus of finite differences [70, p. 69]. So P r o p o s i t i o n 12.2.1 has been proved, o For our application we are concerned with w h e t h e r it is possible to have an efficient algorithm for finding the solutions of the two square p a r t i t i o n p = x 2 + y2 for given primes p. Concerning the Reciprocity Step we can usually find an x with 0 < x < p such t h a t plx 2k + 1 with ease, because any q u a d r a t i c nonresidue of p is such an x, where p = 4k + 1. Thus, if is a q u a d r a t i c nonresidue of p, then piN ~, where N ~ = (~k)2 + 1. To get an N = a 2 + b2 with gcd(a, b) = 1 and N < p2/2 such t h a t piN, we need only to calculate u with ~k m o d p = + u where 0 < u < p/2. Let N = u 2 + 1. It was already known to F e r m a t t h a t a positive integer M is the sum of two squares if and only if the quotient of M by its largest
Chapter 12. Quadratic Partitions and Cryptography
270
square factor is the product of primes congruent to 1 modulo 4 [145, 70]. It follows t h a t N1  N i p must be a sum of two squares. Assume Nlm21
Ipi,
pi1
(mod4),
i
where m 2 is the largest square factor of N1, and pi < p for each pi. Then each Pi is the sum of two squares. If we can find the square partitions of each pi, then by repeatedly employing the classical identity (12.3) we can get m a n y two square partitions of N1. W i t h one obtained two square partition N1 = z 2 + w 2 we can try to solve the equation
pN1

=
+ y
)(z
+
 (zz •
+
T yz):
u 2 + 12,
which results in the equations
xz+ywa x w :t: y z = b,
(12.4)
where (a, b) = (• + u ) , and (• • The solutions (x, y) are some of the twosquare partitions of the given p. It can be seen t h a t all of the two square partitions of p can be obtained in this way if those of N1 are given. Thus, one possible approach to the two square partition of a given prime p  4k + 1 may be summarized as follows:
Step 1" Choose a quadratic nonresidue ~ of p. Step 2: Calculate ~k mod p  u. If u > p / 2 , then set u  p  u. Step 3" Let N  u 2 + 1, N1  N / p . Find the decomposition Nlm
2Epi,
Pi1
(mod4),
i
where m 2 is the largest square factor of N1, and Pi < p for each pi.
Step 4: Find the two square partition of pis. Step 5" Use the classical identity (12.3) to find the twosquare partitions of N1.
Step 6: For each partition of N1, solve (12.4) to get the two square partitions of p.
12.2. p = x 2 + y2 and p  x 2 + 4y 2
271
To illustrate the above approach, we take the prime p = 149. Note that 2 is a quadratic nonresidue (in fact, a primitive root) modulo p. By calculation we h a v e u = 44. It follows that N 4 4 2 + 1 . Thus, N1  N / p  13. It is easy to check that there are only four twosquare partitions 13 = (• 2 {(+2) 2. Solving (12.4) by choosing eight possibilities of (a, b), we get only four solutions p = (+10) 2 + (+7) 2. Actually, these are all the twosquare partitions of 149. Now we turn to the complexity of the above approach. For cryptographic purposes the primes should usually be quite large. The N in Step 2 is larger than the prime p. Thus finding prime factors of N1 is usually difficult. Step 4 is the Descent Step. Step 5 and Step 6 are relatively easy. Steps 1 and 2 are very easy. Thus it is in general very difficult to get the twosquare partitions of given large primes of the form p = 4k + 1 with the above method. But for special primes of this form the above approach may be simple. A concise exposition of four different constructions for x and y in the partition p  x 2 + y2 is given in [80, pp. 120123]. Here we give a detailed discussion of the most efficient of these methods. According to Lehmer [212], in a onepage note Hermite [168] published the following efficient method for representing a given prime p  1 (mod 4) as a sum of squares: (mod p), where 0 < x0 < p/2.
1. Find the solution x0 of x 2 =  1
2. Expand xo/p into a simple continued fraction to the point where the denominators of its convergents A~n/B~ satisfy the inequality B~+~ < x/~ < Bk+2" Then
P
_
,
,
,
(XoBk+l PAk+ 1 + (Bk+l
9
This method, which was the best method known before 1967 (see Shanks [325]) for computing x and y in p  x 2 + y2, appeared simultaneously with a paper of Serret [323] on the same subject. Hermite's method, however, is superior, in that it contains a criterion for ending the algorithm at the right place, while Serret's does not (see Brillhart [36]). In 1972 Brillhart gave an improvement of the algorithm, basing on the fact that the calculation of the convergents in Step 2 can be dispensed with, since the values needed for the representation are already at hand in the continued fraction expansion itself. The shortened algorithm by Brillhart is the following: 1. The same as in the Hermite's. 2. Carry out the Euclidean algorithm on p/xo (not xo/p), producing the sequence of remainders R1, R 2 , .  . , to the point where Ri is first less
Chapter 12. Quadratic Partitions and Cryptography
272 than vf~, and
p=R~+R~+I, pxo 2+1,
if if
R1 > 1 , RI1.
Brillhart's proof of the shortened algorithm is the following. Assume R1 > 1. Since 0 < x0 < p / 2 and p l ( x o + 1), then from Perron [277] we see t h a t the following properties hold"
(i)
The continued fraction expansion of quotients and is palindromic, i.e., p/xo
[qo, ql

p/xo
has an even number of partial
, " " , qk, qk, " " " , ql , q0]
 A2k+l/B2k+l, !
k >_ 0. (Observe that the convergents A ~ + I / B n + 1 for the expansion of x o / p are the reciprocals of the convergents A n / B , ~ for p / x o . ) (ii)
A2k+l = P and A2k  xo.
(iii) p = A~ + A~_ 1. (iv) From (ii), the recursion formula for the numerators ing set of equations: p
qoxo +
A2k1,
Xo  q l A 2 k  1
+
An
gives the follow
A2k2,'.
The equations in (iv) are clearly identical with those in the Euclidean algorithm for p / x o . Hence, A 2 k  1  R 1 , A 2 k  2  R2,...,Ak+I  Rkl,Ak R k , A k  1  R k + l , ' " . Using these equations with (iii), gives p  R~ + R~+ 1. Certainly, then R k < vffi. If k  1, then R k is the first R k < vffi. If k > 1, then from the observation in (i), R k  1  A k + l  B~:+2. But, from Hermite's development, B~+ 2 > vffi, so R k is the first remainder less than Vffi. If R1  1, then p  q o x o + 1 and p / x o  [q0, qo]. Together, these imply q0  x0, so p  x 2 + 1. This completes the proof. As already made clear in our first approach, the solution xo of x 2   1 (mod p) can be obtained by computing x o  c ( p  1 ) / 4 mod p, where c is a quadratic nonresidue of p. Brillhart pointed out that c  2 and c  3 can be used when p  5 (mod 8) and p  17 mod 24, respectively. In the remaining case, p  1 (mod 24), c can be found by using the quadratic reciprocity law. To illustrate the shortened algorithm, we take the example given by Brillhart. Let p  10006721  17 (mod 24). Then c  3 and Xo   3 2 5 0 1 6 8 0 
12.2. p = x 2 + y2 and p  x 2 + 4y 2 2555926
273
(mod p). Then 10006721 2555926 2338943 216983 169113 47870
= = =
3.2555926 1.2338943 10.216983 1.169113 3.47870 1.25503
+ + + + + +
2338943 216983 169113 47870 25503 22367
25503 22367
= =
1. 22367 73136
+ +
3136 415
Hence, since 223572 > p and 31362 < p, we have p
31362 + 4152.
Clearly, some primes of special form can be expressed as a sum of two squares without much calculation. For example, the prime n u m b e r N  (2691  2 3 4 6 + 1)/5, discovered by Brillhart and Selfridge [36], can be easily written as g  [ ( 3 . 2 3 4 5  1)/5] 2 {[(2345  2 ) / 5 ] 2. Also, the identity U2k+t = U~ + U~+ 1, where Un is the n t h Fibonacci number, provides such a representation for Fibonacci primes in terms of the Fibonacci numbers themselves. The above shortened algorithm works very efficiently, since we have a fast exponentiation modulo p algorithm for finding an x0, and the step (2) of the algorithm is based on the Euclidean algorithm which is efficient. If we need such an algorithm for the purpose of getting some Gaussian primes, one or several solutions of the quadratic partition may be enough. However, for the purpose of analyzing the stability of some cyclotomic numbers we need some special solutions as described in Chapter 4. So the problem now is how many distinct quadratic partitions p  x 2 + y2 a prime p  4t + 1 has. The following Proposition 12.2.5 shows t h a t there are only four distinct integer solutions (x, y), t h a t is every prime p  4t + 1 is in one and only in one way a sum of two squares of positive integers. This was already known to Fermat in 1640. Euler proved the converse of the above conclusion in 1742, which led also to a primality test. Now we t u r n to (12.1). For the solvability of (12.1) we have the following result, which was known to Fermat and was first proved by Euler [145]. P r o p o s i t i o n 1 2 . 2 . 4 The Diophantine equation (12.1) is solvable if and only if all prime divisors q of n with q  3 (mod 4) occur in n to an even power. Concerning the Diophantine equation (12.1), the following more general result was proved by Gauss with the help of quadratic forms [130], and by Jacobi [177] with the help of elliptic functions.
Chapter 12. Quadratic Partitions and Cryptography
274
Proposition 12.2.5
Denote the number of divisors of n by d(n), and write da (n) for the number of those divisors with d  a (mod 4). Let n = 21nln2, where nl  1Ip1 (rood4) P r, n2  1Iq3 (mod4) qS, and let r(n) be the number of solutions of (12.1); then r(n) = 0 if any of the exponents s is odd. If all s are even, then r(n) = 4d(nl) = 4(dl (n)  d 3 ( n ) ) .
12.3
p
X2
~ 2y 2 a n d p 
x 2
~ 3y 2
The cyclotomic numbers of orders 6, 12 and 24 depend on or partially on the quadratic partition p = x 2 + 3 y 2, x = l
(mod3),
(12.5)
and that of order 8 partially on the partition p = x 2 + 2 y 2, x  1
(mod4).
(12.6)
It has been proven by Euler that the following conclusion about the partition holds:
Proposition 12.3.1 and only if p = 3
A n odd prime p can be represented as p  x 2 + 3y 2 if ( m o d 3 ) , p = x 2 + 2 y 2 if and only if p  1 o r 3
orp 1
(mod 8). Euler used the same twostep strategy in his proofs for x 2 + 2y 2 and x 2 + 3y 2 [70]. The Descent Steps are: If p]x 2 + 2y 2, gcd(x, y) = 1, then p is of the form x 2 + 2y 2. If plx 2 + 3y 2, gcd(x, y) = 1, then p is of the form x 2 + 3y 2. The Reciprocity Steps are: If p   1,3 (mod 8), then plx 2 + 2y 2, gcd(x, y) = 1. (mod 3), then plx 2 + 3y2, gcd(x, y ) = 1, If p  1 where p is always an odd prime. The proof of Proposition 12.3.1 can be found, for example, in [381, 70]. We can give a similar approach to the determination of the solutions of (12.6) and (12.5), which is analogous to the first approach in the foregoing section. But the complexity of the approach is large. It seems unknown whether Hermite's algorithm can be modified into one for this kind of quadratic partition. Thus, an efficient algorithm for finding the solutions of (12.5) and (12.6) should be developed.
12.4. p = x 2 + ny 2 and Quadratic Reciprocity 12.4
p
x 2 + ny 2 and
Quadratic
275
Reciprocity
Before going further into the cryptographic aspects of the quadratic partition p = x 2 + n y 2, we need to study the relation between the partition and quadratic reciprocity. The well known law of quadratic reciprocity is described as follows.
Proposition 12.4.1 (Quadratic Reciprocity) If p and q are distinct odd primes, then P
q ) ( pq)
= (  1 ) (p1)(q1)/4
where () is the Legendre symbol.
This theorem is not only theoretically beautiful, but also computationally very useful. It is easy to prove that the above theorem of quadratic reciprocity is equivalent to the following proposition [70, p. 15].
Proposition 12.4.2 If p and q are distinct odd primes, then ( ~p)  1 if and only if p  :t:c~2
(mod 4q) for some odd integer c~.
The Reciprocity Step in treating the quadratic partition is closely connected to quadratic residues, as described by the following proposition. As pointed out in [70, p. 13], the Reciprocity Step was one of the main things that led Euler to discover quadratic reciprocity. The definition of quadratic residue immediately gives:
Proposition 12.4.3
Let n be a nonzero integer, and p an odd prime n o t
dividing n. Then plx2 + n y 2,
12.5
p
gcd(x,y)=1r
x 2 + 7y 2 a n d
Quadratic
0. Their theories are simple and elegant. A primitive positive definite form ax 2 + bxy + cy 2 is said to be reduced if Ib[_a 0. To treat this problem generally, we need class field theory, which might be tentatively regarded as the search for those Abelian extension fields which make possible the solution of the problem of the representation of a prime by a quadratic form. We do not intend to go further into the class field theory here. For details about the theory we refer to [70, 67]. Here we shall only present a general answer to Question 12.7.1 developed with the help of class field theory. For a proof of the following result, one may see, for example, Cox [70, pp. 110112].
Chapter 12. Quadratic Partitions and Cryptography
282
Proposition 12.7.5 Let n > 0 be a squarefree integer with n ~ 3
(mod 4). Then there is a monic irreducible polynomial f,~(x) e Z[x] of degree h (  4 n ) such that if an odd prime p divides neither n nor the discriminant of f n ( x ) , then P  x2 + nY 2 ~
{ (  n / p ) = l and fn(x)  O (mod p) } has an integer solution.
Furthermore, fn(x) may be taken to be the minimal polynomial of a real algebraic integer a for which n = K ( a ) is the Hilbert class field g = Q(x/Zn).
So far we have not found efficient algorithms which enable us to answer Question 12.7.2 when n ~ 2, 4. This problem remains to be investigated. To answer Question 12.7.3, we need the theory of ring class fields together with Dirichlet density. The classical theorem that answers the question is that a primitive positive definite quadratic form ax 2 + by 2 qcy 2 represents infinitely many prime numbers. Generally, we have the following proposition [70, 34, 382]:
Proposition 12.7.6 Let ax 2 + bxy + cy 2 be a primitive positive definite quadratic form of discriminant D < O, and let P B ( a , b, c) be the set of primes represented by this form. Then the Dirichlet density (f(PB(a, b, c)) exists and is given by the formula
~(PB(a, b, c)) 
h(D)
if this form is properly
1 2h(D)
equivalent to its opposite otherwise.
i 1
In particular, ax 2 4 bxy + cy 2 represents infinitely many prime numbers.
As an example of what this proposition tells us, we consider forms of discriminant  5 6 . Table 12.1 shows that the class number is 4 and gives the reduced forms. It follows from this proposition
1
~({p prime
9p 
x 2 + 14y2}) 
~({p prime
9p 
2x 2 + 7y2}) 
~i({p prime
1 9 p  3x 2 4 2xy + 5y 2 })  ~.
1
Note that these densities sum to 1/2, which is the density of primes for which (  5 6 / p ) = 1. Generally, for any given negative discriminant, the densities of primes represented by the reduced forms (counted properly) always sum to 1/2 [70].
12.8. Other Cryptographic Quadratic Partitions
283
Owing to the difficulty of answering Question 12.7.2, Question 12.7.4 is especially important for our application. It is unknown how to find large primes in the set B ( n ) . Research Problem
12.7.7 Develop methods for finding large p r i m e s in the
set B ( n ) .
Since partitioning a prime p into p  x 2 + n y 2 is necessary for analyzing a number of cryptographic attributes of some cyclotomic generators, an investigation into the following problem is important. Research Problem
12.7.8 Develop an efficient algorithm f o r the partition of a p r i m e into p = x 2 + n y 2 ]or n > 3.
12.8
Other Cryptographic Quadratic Partitions
Quadratic partition 4p  x 2 + 27y 2 with x  1 (mod 3) are needed for analyzing the stability of cyclotomic numbers of order 3. In fact if we can find the partitions p  x 2 + 27y 2, then we get 4p
(2x) 2 + 27(2y) 2.
As mentioned in Section 12.1, there are some other quadratic partitions of primes or multiples of primes we need for analyzing the nonlinearity of some cryptographic functions. The determination of these partitions is much more complicated. Thus, some quadratic partition problems for cryptographic purposes remain to be investigated. According to the literature only cyclotomic numbers of orders in the range [2, 24] are known. To construct generators in Chapter 8, we may need cyclotomic numbers of order 2k with k > 12. Thus, partitions p  x 2 + n y 2 for more n's may be needed. It is not possible to develop here all the mathematical theories associated with this problem. But it might be worthwhile to point out some of them. The partition problem p  x 2 + n y 2 is related to the following mathematical theories: the classification of quadratic forms, genus theory, Euler's convenient numbers, quadratic reciprocity, cubic reciprocity, biquadratic and higher reciprocity, the Hilbert class field, ring class fields, elliptic curves, Gauss and Jacobi sums. Details about the relations can be found, for example, in [70, 175]. As we saw in Chapter 4, the cyclotomic numbers of order 10 depend on the quadratic partition 1 6 p  x 2 + 50u 2 + 50v 2 + 125w 2
Chapter 12. Quadratic Partitions and Cryptography
284
with x  1 (mod 5) and v 2  4 u v  u 2 = x w . Similar complicated quadratic partitions are needed to calculate cyclotomic numbers of other orders. It seems to be an open problem how to compute the values of x, u, v, w efficiently, given p. Such a problem is of course important for the corresponding cyclotomic generators, since quite a number of cryptographic attributes of the generators depend on the cyclotomic constants. To show the cryptographic importance of the quadratic partition p = x 2 b y2, we mention the OngSchnorrShamir signature scheme. Here we will follow the description of the system by McCurley [243, p.152]. In 1984, Ong, Schnorr, and Shamir [272] proposed a very efficient digital signature scheme based on the difficulty of solving a polynomial congruence modulo a composite integer. The original scheme was the following. A trusted authority chooses an odd integer n = p q that is presumed hard to factor and publishes the number n (alternatively, each user could choose his own modulus n). Each user who wishes to sign a message m chooses a secret random integer s, computes k  s 2 (mod n) and gives k to the trusted authority. The trusted authority publishes all the public keys k. In order to sign m, the user will then (mod n). Anyone produce a solution x, y to the congruence x 2  k y 2  m can easily verify the validity of the signature x, y. Moreover, the user who holds the secret key s can easily produce a solution by first choosing a random integer r and then applying the extended Euclidean algorithm to calculate x 
2 1 (mr 1 + r)
y = (2s)  1 ( m r
1 
mod n, r)
mod n.
It has been pointed out in [243] that the security of the scheme depends on a forger's apparent inability to find a solution to the congruence x 2  k y 2  m (mod n) when k, m and n are given, but s is kept secret. Unfortunately, the system was cracked shortly afterwards by Pollard [243]. Pollard and Schnorr [285] later proved that the congruence could be solved in random polynomial time assuming the extended Riemann hypothesis. This result was later improved by Adleman, Estes and McCurley [1]. As made clear in Section 12.1, a prime p can be represented as p  x 2 + y 2 if and only if p  1 (mod 4); also, there is an efficient algorithm for finding such a representation. The method of solving the congruence x 2 • y2 = m (mod n) is closely related to the quadratic partition of primes into p  x 2 + y2 (mod n) can be constructed [243]. First, note that a solution to x 2  y 2 _ m trivially by solving the linear congruences xym
(modn),
x+y1
(modn).
The case x 2 + y2  m (mod n) can be done as follows: we can use a method to find a prime p satisfying p  m (mod n) and p  1 (mod 4) [243]. Then
12.8. Other Cryptographic Quadratic Partitions
285
we use the algorithm in Section 12.1 to find one quadratic partition of the prime p, i.e., p  x 2 + y2. Then we have a solution of x 2 + y2 _ p  m (mod n). According to [243], Pollard's key idea for solving the congruence x 2  k y 2 m (mod n) is to reduce it to solving a congruence of the same form, but with k replaced by some kl with Ikll l, it follows from what we proved above that a(0) = 0. Thus, m* (x) must divide a(x), since the minimal polynomial of/~ is m* (x). Due to the primitivity of 0 the order of m(x) and m*(x) must be q m _ 1. The least period of s ~ follows. This completes the proof. D The above discussions, in particular Proposition 13.2.5 and Theorem 13.2.7, show that all of the maximumlength sequences over GF(q) with periods q m 1 can be realized by the generator of Figure 13.2, where N  q m 1, ~~'~N denotes modulo N addition, Tr(x) denotes the trace function from GF(q m) to GF(q), ~ is a chosen primitive element of GF(q m) and/~ is an element E GF(q m). By Theorem 13.2.6 every nonzero linear function from F to K has the best nonlinearity with respect to (F*, • and (K, +). This rather remarkable result turns out to be easy to prove. However, the nonlinearity of the linear functions with respect to (F*, • and (K, • seems more complicated. For some of them
298
Chapter 13. Group Characters and Cryptography 1...1 clock
i
I
I
I
I I output sequence
Figure 13.3: A modified generator of Figure 13.2.
the nonlinearity depends on cyclotomic numbers. As shown in some of the preceding chapters, the nonlinearity of some of them is indeed good. Thus, it may be concluded that finite fields are cryptographically uesful in many ways. It may be difficult to access the cryptographic values of the balanced functions from one field to another one without putting them into specific cryptographic contexts. Sometimes in order to find "good" cryptographic building materials in some cryptographic context, we try to find some "bad" ones in some sense and to use them in proper ways. We know that in the generator of Figure 13.2, its cryptographic function has the best nonlinearity with respect to (F*, x) and (K, +). This is one of its cryptographic advantages. However, the output sequences have only linear complexity m. To improve the generator, we can choose a permutation P(x) of Zq,1 and produce the modified generator of Figure 13.3. Of course, affine permutations P(x) of Zqm_l give only a decimation of the msequences. Thus, they give no improvement to the output sequences. It is not difficult to give examples to show there are some permutations which can improve the linear complexity of the sequences. Naturally, we can choose the function P(x) as a general mapping from
13.3. The Nonlinearity of Characters
299
Zqm_l to Zqm1. That is to say, P(x) need not be one to one. But in this case the balance property of msequences will be changed to some extent. The stopandgo generator [18] can be realized by the generator of Figure 13.3 by choosing P(x) properly (not onetoone). How to choose an integer function P(x) from Zq~i to Z such that the output sequences of the generator of Figure 13.3 have some good cryptographic properties is an interesting problem.
Research P r o b l e m 13.2.8 How can we choose an integer function P(x) from Zqm_l to Z in Figure 13.3 to guarantee large linear complexity and ideal pattern distributions for the output sequence of the generator? 13.3
The Nonlinearity
of Characters
Let G be a finite Abelian group. Then the characters of G form an Abelian group under the product of characters. Thus every character X will have X IGI = Xo, where X0 is the trivial character (sometimes referred to as principal character). We say that X is of order d if ~ d __ X0, and if d is the smallest positive integer with this property. It is well known that d divides IGI. As seen before, field characters play an important role in the design of some keystream generators. Our task in this section is to analyze the nonlinearity of field characters with respect to some operations. We will show that sometimes the nonlinearity is almost optimal. This fact indicates again that the linearity with respect to one pair of operations could indicate the best nonlinearity with respect to another pair of operations. It may follow that one way to get goodness is to make use of badness in a proper way.
13.3.1
The Nonlinearity of Multiplicative Characters
A multiplicative character X is of course linear with respect to (GF(q)*, • and (U, • where U is the set of complex numbers of absolute value 1. Let ord(x)  d, and let Ud denote the dth roots of unity in the complex numbers. Then X is a mapping from GF(q)* to Ud. As before, we need to extend X to GF(q). This is done by defining x ( 0 ) = c,
where 0 is the zero element of GF(q), and c is any chosen element of Ud. We write X for such an extended character of X. Choosing a generator a of Ud, we could have a cryptographic function
F(x) = log a X(x), which is a mapping from GF(q) to Zd.
x E GF(q),
Chapter 13. GroupCharacters and Cryptography
300
Clearly, we have F(xy) = F(x) + F(y) for each pair of nonzero x and y. Thus the nonlinearity of F(x) with respect to (GF(q), +) and (Zd, +) is the same as t h a t of X with respect to (GF(q), +) and (Ud, • For each element u of Ud, we define now the set
Du = {y : X(y) = u, y e GF(q)*}. Since X is a nontrivial linear mapping from (GF(q)*, x) to (Ud, x), we have
IDol = ( q  1)/d for each u E Ud. Given a u E Ud with u # 1 and any nonzero element a E GF(q), we write
N(a, u) =
{y
y + a e D~, y e CF(q)*} Y
Then
N (a, u) 
{ [D=[1, [D u 1,
ifl e D= otherwise.
It follows from the fact X(Y + a)/X(Y) = X((Y + a)/y) t h a t [Du[l 1 and dlq. By definition r is linear with respect to (GF(q), +) and (Ud, • Writing r for the restriction of r to GF(q)*, we consider now the nonlinearity of r with respect to (GF(q)*, • and (Ud, • For each u in Ud we define the set Du by Du = {y: r = u, y E GF(q)}. Then it follows from the linearity of r with respect to (GF(q), +) and (Ud, • that
ID=I =q/d
13.4. Ring Characters and Cryptography
301
for each u in Ud. Combining the above facts and the fact that r162 we have the following conclusion.
= r
(x(a1)),
T h e o r e m 13.3.2 Let the symbols be the same as before. Then for each a of GF(q)* with a ~ 1 and each u o] Ud with u ~ 1,
Pr(r
1
(ax)/r
1
(x)  u)  ~ + aq;"
With this theorem we can now conclude that the nonlinearity of nontrivial additive characters of finite fields with respect to (GF(q)*, x) and (Ud, x) is the best possible. 13.4
Ring
Characters
and
Cryptography
Let (R, +, • be a finite commutative ring with multiplicative identity 1R. The additive characters of R are clear, since (R, +) is an Abelian group. Let R* be the set of all multiplicatively invertible elements of R. Then (R*, • is an Abelian group. The multiplicative characters of R are defined to be those of (R*, x). Ring characters could be cryptographically as attractive as field characters. In fact the twinprime generator, the twoprime generator and the square generator in Chapter 8 employ the ring multiplicative characters of Zpq and Zp2, where p and q are distinct prime numbers in Z. The nonlinearity of those cryptographic functions based on some of the ring multiplicative characters depends not only on the generalized cyclotomic numbers, but also on the assignment of the elements of Zvq \ Zpq and Zp2 \ Z*p2. For these two kinds of rings, the assignment of those zero divisors does not contribute much to the nonlinearity of the cryptographic function due to the fact that IZ~ql/IZpql and IZ*p21/IZp21 are both approximately one. The Jacobi symbol is also a multiplicative character of the residue ring Zn. But to extend it into a cryptographic function, the assignment of the zero divisors of Zn will be of significance when n has many small factors. Let a be a nonzero integer, b an odd integer, such that gcd(a, b)  1. The Jacobi symbol (a/b) is defined as an extension of Legendre symbol, in the following manner. Let Ibl [Iplbpep (with ep > 1). Then a
a
aep p]b
Therefore, (a/b) is equal to +1 or  1 . Here are some of the properties of the Jacobi symbol:
Chapter 13. Group Characters and Cryptography
302 /
\
1. ( ~ )  (~1) 1.
3. ( b  ~ )  ( ~ ) ( ~ , ) " 4. If a, b are relatively prime odd integers and b _ 3, then we have the reciprocity law:
(o) ~
" (_1)(a1)(b1)/4
.
5. If b > 3 and a is a square modulo b, then (~)  1. Apart from the moduli n  pq and n  p2, other cryptographically good moduli for employing the Jacobi character cryptographically, may be 2p, 4p and 4pq. The Jacobi character is also related to genus theory [70]. Let n be odd, then there are some nontrivial linear functions from Zu to Z2 with respect to (Zn, +) and (Z2, +); f ( x )  x mod 2 is one example. Similar to the case of fields, we want to know the nonlinearity of the linear functions with respect to (Zn, • and (Z2, +). This problem seems complicated and remains open. 13.5
Group
Characters
and
Cyclotomic
Numbers
Group characters are not only ideal cryptographic functions for certain applications, but also quite useful in calculating cyclotomic numbers, which determine a number of cryptographic attributes of cyclotomic generators. In fact, all known cyclotomic numbers are calculated based on some character sums, among which are Gauss sums, Jacobi sums and DicksonHurwitz sums. A connection between character sums and cyclotomic numbers is natural, since the number of solutions of many equations can be expressed as a kind of character sum. In this section we use group characters to calculate the cyclotomic numbers of order 2. Let X be a multiplicative character of GF(q) with order d. Then d must divide q  1. As before, we let Ud denote the dth roots of unity in the complex numbers, say U d   {U0   1, ..., U d  1 }. For each i, where 0 0 such t h a t ai  ai+N for all i >_ m,
the expression of (14.3) is said to be eventually or ultimately periodic with period N , and periodic if m   k . For simplicity we sometimes write an ultimately periodic expansion as O~   a  k a  k + l
...amlam...am+N1
where the bar represents the repeated part.
Proposition
14.1.3 Let ~  p / q ~ 0 be a rational n u m b e r with q > 1 being odd, lPl < q, and gcd(p, q)  1. A n d let p  2rap!, where gcd(2,pl)  1 and m >_ O. Then c~ has the unique ultimately periodic 2adic expansion o~  O...01am+2...am+hl am+h...am+h+N_l , where at the beginning of the sequence there are exactly m zeros before the first 1, N is a positive integer with 1 ~ N < q  1.
Chapter 14. PAdic Numbers, Class Numbers and Sequences
310
P r o o f : To get a 2adic expansion for p/q, we repeat the procedure of finding the solution for (14.2) until a repeated rational number is found. After repeating the procedure m times we get the first part of the 2adic expansion 0...0 with m zeros and the rational number p l / q . Since pl is odd and gcd(2,pl)  1, repeating the procedure once more gives us a 1 after the zero sequence and a new rational number, denoted still by p l / q , where pl < 0. Then all the following new pl's remain negative when the procedure is further repeated. Because there are at most q  1 new rational numbers p l / q with pl negative and {pl{ < q, after at most q  1 calls for the procedure we must get a rational number which had already appeared before. Then we get an ultimately period expansion for a as described in the proposition. The uniqueness of the expansion follows from that of the solution of (14.2). [] We now take an example to show how to get the 2adic expansion for a rational number described in Proposition 14.1.3. Applying the constructive proof procedure for Proposition 14.1.3, we obtain 4/9 2/9 1/9 4/9 2/9 1/9 5/9 7/9 8/9
= = = = = = = = =
0 0 1 0 0 1 1 1 0
+ + + + + + + + +
2 2 2 2 2 2 2 2 2
(2/9), (1/9), (4/9), (2/9), (1/9), (5/9), (7/9), (8/9), (4/9).
Therefore the expansion of 4/9 is 4  = 001001110. 9 The proof of Lemma 14.1.2 can be used to prove the following conclusion. L e m m a 14.1.4 For every rational number c~  p / q ~ O, where q > 1 is odd, {p{ > q and gcd(p, q)  1, there exist two unique integers u E {0, 1} and p' with 0 < Ip~{ < p such that P = u + 2 p~ , q q where ( u , p ' ) 
(14.4)
(0,p/2) if p is even, and (u,p')  (1, ( p  q)/2) if p is odd.
Similar to Proposition 14.1.3, by repeating the procedure of finding the solution of (14.4) we can prove the following proposition.
14.1. The 2Adic Value and 2Adic Expansion
311
P r o p o s i t i o n 14.1.5 Every rational number ~  p/q ~ O, where q > 1 being odd, IPl > q, and gcd(p, q )  1, has the following unique expression
h p~,  E ai2i + 2hi=o q where IP'I < q, gcd(p', q)  1, and ai e {0, 1} for all i. Combining Lemma 14.1.1, Propositions 14.1.3 and 14.1.5, we obtain the following conclusion. P r o p o s i t i o n 14.1.6 Every rational number has a unique ultimately periodic 2adic expansion. The foregoing discussions show that the 2adic expansion of a nonzero rational number a  p / q can be determined by the following procedure: S t l : Reduce p/q so that gcd(p, q)  1 and q _ 1. St2: With the proof procedure of Lemma 14.1.1 determine f and a pair of integers s and t such that 2Ip = s gcd(s,t)gcd(2 t)I q t' '
"
If Isl < t, then go to Step 4; otherwise respectively go to Step 3. St3: With the procedure of Lemma 14.1.4, find the expression 8
h iO
where Is'l < t, gcd(s', t ) 
8t
a2`+
2h 
t'
1, and ai e {0, 1} for all i.
St4: Apply the proof procedure of Proposition 14.1.3 to s i t resp. s~/t to get the 2adic expansion of s / t resp. s'/t, denoted by {bi)i~0. St5: Output ~ i = 0 2f+ibi resp. E hi=0 2  f + ~ai + ~ j =~0 2 h  f +jbj as the 2adic expansion of the rational number. The converse of Proposition 14.1.6 is the following conclusion. P r o p o s i t i o n 14.1.7 For every ultimately periodic binary sequence a ~ the associated 2adic number }~oo i0 ai2 i is the 2adic expansion of a rational numDef.
Chapter 14. PAdic Numbers, Class Numbers and Sequences
312
Proof: Because of the eventual periodicity let m and N > 0 be two integers such that for all i _> m.
ai  a i + N
First, we have _ (~1 o~
ai 2i

NWm~l
+
iO
\ iO
im
Then it follows that 2Na

m1 2N )~i=0 ai2i
r2N
(
oo
+ Eim
ai 2i+ N
ET_ ..2' + 1 ~ v~m1 ,~i v~N+m1  ) 2_.,i=o aiz  ~..~i=m ai 2i + a.
Hence, m 1
a
E
ai2i
~f'~Nk m 1 ai 2i ~..~im 2N  1 '
(14.5)
i0
which is a rational number. • The above proof of Proposition 14.1.7, which parallels the classical proof of the rational expression p ( x ) / q ( x ) for sequences over a field, follows the proof of the following conclusion [192].
Proposition 14.1.8 Every periodic 2adic integer ~~i~=oai2 i is the 2adic expansion of a rational number a  p / q with q odd and  q 0 and gcd(pl, 2)  1. Consider the principal ideal (pl/q)A. We first prove Pl A  A. q
(14.6)
The inclusion ( p l / q ) A C_ A is trivial. To prove the reverse inclusion, take any element s / t E A in reduced form. Then it is easily verified t h a t gcd(sq, t p l )  gcd(s, Pl) gcd(q, t), which is odd. Set x  sq/ gcd(sq, tpl) and y  t p l / gcd(sq, tpl). odd, and x / y E A such that s = t
Then y is
pl x pl EA. qy q
This shows the reverse inclusion and proves (14.6). Finally, we have ( p / q ) A = 2 m ( ( p l / q ) A )  2mA.
This completes the proof.
[]
14.3. The Arithmetic of Q[21 and Z[21
315
Proposition 1 4 . 3 . 3 A is a principal ideal domain. Proof: Let I be a nonzero ideal of A. Set m  m i n { m 9 nonzero 2mp/q E I, gcd(2,p)  1, and p / q is reduced.} Assume t h a t 2mp/q E I, where p / q is reduced and gcd(2, p)  1. Since q / p E A, we have 2 m  2 m ( p / q ) ( q / p ) E I. Thus, we have I D_ 2mA. On the other hand, each 0 ~ i E I can be written as
i
2m'p/q,
where m ~ > m, the number p / q is reduced and gcd(2,p)  1. Thus, i = 2 m 2 m '  m p / q E 2mA. It follows I C_ 2mA. Finally, {0} is clearly a principal ideal. Thus, every ideal of A is a principal ideal. [3 A ring is called a local ring if it has only one m a x i m a l ideal. It follows from Propositions 14.3.2 and 14.3.3 t h a t the first p a r t of following proposition is true, while the second part is easily verified.
Proposition 1 4 . 3 . 4 A is a local ring with the maximal ideal 2A. Furthermore A / 2 A "~  Z2. Let F be a field. A ring O C F is said to be a valuation ring of F if z E O o r z 1 E O f o r e a c h z ~ 0 . LetO*={zEO'thereisawEOwithzw1}. We can verify t h a t the following claims are true: 1. Any valuation ring is a local ring. 2. Its unique m a x i m a l ideal, denoted by P and called a place, is a principal ideal. 3. If P  tO then any nonzero z E F has a unique representation of the form z  tnu for some n E Z, u E O*. 4. O is a principal ideal domain. In the case of the rational number field, we have proved three of the four claims. Apparently, the element t, which is called a prime e l e m e n t , is equal to 2 with respect to A in this case. Set
v p ( z )  n, where n is the integer in the unique expression z  tnu in the above Claim 3. T h e n it is easily verified t h a t this function has the following properties:
1.
Vp(X)
=
(X) if and only if x  0.
316
Chapter 14. PAdic Numbers, Class Numbers and Sequences
2. V p ( X y ) = v p ( X ) + vp(y) for any x, y e F. 3. v p ( x + y) > m i n { v p ( x ) , v p ( y ) }
for any x , y E F .
4. There is an element z E F with v p ( z ) = 1. Such a function is called a discrete valuation of the field. We can verify t h a t there is a onetoone correspondence between the valuation rings and the discrete valuations of a field. In the case of the rational number field Q the discrete valuation induced by the valuation ring A is VA : Q + Z defined by VA (p/q)  m ,
where p / q is reduced, and m is the unique integer such t h a t p / q  2 m p l / q , where gcd(pl, 2)  gcd(q, 2)  1. The relation between this discrete valuation and the 2adic value is VA (p/q)   log 2 Ip/ql2.
The above notions and results about rational numbers have already been extended into algebraic function fields which have applications in coding theory [345]. Now we consider the arithmetic of Q[2] and Z[2]. Suppose that a and/3 are two 2adic numbers with
and cx:)
oo
i=I
i=f
where ai, bi E {0,1}, and a _ f # 0, but one or more of the first digits b_ f, b_ f+x,.., may be equal to zero. The addition a +/3 is defined by the convergent series co
+ z 
oo
(a, + b,)2 ' if
Z if
where each ri E (0, 1} is calculated by ri  (ai + bi + ci1) mod 2 ci  (ai + bi + ci1) div 2
(div 2 means remove the last binary digit) for each i >  f , defined to be 0, and the ci's are carry bits.
where c_ f_ 1 is
14.3. The Arithmetic of Q[2] and Z[2]
317
As an example, let (x)
c~l,
~E2
i,
i=0
then a + ~  0. Let 1~12  2g, so b_g is the first digit distinct from 0, then (:K)
Z
2g +
(1  bi)2 i.
E i=g+l
The subtraction a  ~ is defined to be a + (  ~ ) . It is obvious t h a t Q[2] and Z[2] are Abelian groups with respect to the addition. The multiplication of two 2adic numbers is defined as follows. Let (x)
oo
i=f
i=g
where [a12  2I and [~[2  2 g. After multiplying the series term by term and rearranging the terms, we obtain oo
i=(l+g) where
ui 
E
akbj,
kWji
for each i _  ( f + g). The ui's could be much larger than 2. Then we use the same reduction procedure as before to get oo
(~ 
E
ri2i'
i=(l+g) where each ri E {0, 1} is calculated by ri  (ui + ci1) mod 2 ci  (ui + ci_ 1) div 2 for each i >_  f digits.
g, where c(l+g+l) is defined to be 0, and the ci's are carry
Chapter 14. PAdic Numbers, Class Numbers and Sequences
318 Let
oo
E ai i, i=f where ]a[2  21 and a_f  1. One can easily prove that there is a unique 2adic number oo
 E
bi2i'
i=f such that a/~  1, where by = 1. This means that Q[2] forms a group with respect to the multiplication, but Z[2] does not. Division for two 2adic numbers is then defined to be a//~ = a/~l. Let Q be the set of ultimately periodic 2adic numbers, and let r : Q + Q map each rational number to its unique 2adic expansion. Then it is easily verified that r is an isomorphism between (Q, +, .) and (Q, +, "). Thus, the structure of Q is the same as Q. Thus, we have the following conclusions. P r o p o s i t i o n 14.3.5 The following conclusions regarding Q and Z[2] are true:
1. Z[2] is a maximum proper ring of Q. 2. Every nonzero principal ideal of Z[2] must be of the form 2 mZ[2]. 3. Z[2] is a local ring.
4. the quotient field Q/Z[2] is isomorphic to Z2. The onetoone correspondence between the set of binary ultimately periodic sequences and the set of 2adic integers defined by (x)
~ " a ~ + E
ai2i
i0
gives automatically the 2adic sum and the 2adic product of binary sequences. 14.4
Feedback
Shift Registers
with
Carry
A kind of feedback shift register, feedback with carry shift registers (briefly FCSRs), was described by Klapper and Goresky [187, 192]. They can be thought of as LFSRs with ordinary addition in place of addition modulo 2,
14.4. Feedback Shift Registers with Carry
mn1
v ] an1
I
l dvi
anT
ar 2
rod2~Lri ) ~
11
319
)
r
Figure 14.1" Feedback with carry shift register.
and auxiliary memory for storing the carry. The contents (0 or 1) of the tapped cells of the shift register are added as integers to the current contents of the memory to form a sum, ~~. The parity bit (Y] mod2) of ~ is fed back into the first cell, and the higher order bits ([~]/2J) are retained for the new value of the memory. The FCSR with connection integer q is depicted in Figure 14.1. Note that q0   1 does not correspond to a feedback tap, and that the coefficients of high powers of 2 are close to the output cell. In Figure 14.1, E denotes integer addition. The content of the register at any given time consists of r bits, denoted a n  l , a n  2 , ' " , a n   r + l , a n  r . The operation of the shift register is defined as follows: A1. Form the integer sum an  ~~r k=l q k a n  k + r a n  1 . A2. Shift the contents one step to the right, outputting the rightmost bit anr.
A3. Place
an 
an
mod 2 into the leftmost cell of the shift register.
A4. Replace the memory integer m n  1
with
mn

(an 
an)~2

[an/2J.
The integer q is referred to as the c o n n e c t i o n i n t e g e r because its binary expansion gives the analog to the connection polynomial in the usual theory of linear feedback shift registers. FCSRs were described to construct a feedback shift register whose output is the coefficient sequence of the 2adic expansion
oo 
2' 
i=o
P e
q
1
(14.7)
320
Chapter 14. PAdic Numbers, Class Numbers and Sequences
of a given rational number p/q with q odd and 0 ___  p < q [192]. For the rest of this section, we fix an odd positive integer q E Z and let r  Llog2(q + 1)J. Write q + 1  q12 + q222 + " " + qr2 ~ (14.8) for the binary representation of the integer q + 1, where qr  1. The shift register uses r stages and no more than Llog2(r)J additional bits of memory. The feedback connections are given by the bits {ql, q 2 , ' " , qr} appearing in (14.8). The memory requirements can be easily seen as follows [192]. Let w ~ WH(q + 1) be the number of nonzero qi, i  1 , . . . , r, the Hamming weight of q + 1. If the memory needed for ran1 is no more than w bits then the same will be true for all later mi with i _> n. This follows from (A1) and (A4) because a,~ < w + mn1 _< 2w and mn w, then with each step, the memory will decrease at least by 1. After b  w steps, the memory needed for later carries will be no more than w bits. This follows from (A1) and (A4) which give
mn 1. Equation (14.16) can be rewritten as
9( a / + (ad + 2b)g)
_ 2A2(a ~176+ 2[log(A2(a~ + 3.) P r o o f : By assumption, a  p / q so q is odd and (p, q) C Lk for all k. The output from the algorithm is a pair g  (91, g2) E L T which is Ominimal, so (gl, g2) _ ~ (P, q). Hence [glq[ _ min{ord(p_3)/4(2), ord(q_3)/4(2)}. Thus, with a special Blum integer the linear complexity and its stability of the BlumBlumShub sequence can be controlled by controlling the orders of 2 modulo ( p  3)/4 and ( q  3)/4.
340
Chapter 14. PAdic Numbers, Class Numbers and Sequences
Another cryptographically interesting property of the BlumBlumShub generator is its unpredictability under the hypothesis that any efficient procedure for guessing the quadratic residuacity of a given m modulo N will be incorrect for a positive fraction of the inputs [24]. We note that the unpredictability problem for sequences defined by Blum, Blum and Shub [24] is similar to undecidability problems of formal languages, where the Church Hypothesis is needed (see aozenberg and Salomaa [307] and Salomaa [311]). It is important that the imbalance between O's and l's of cryptographic binary sequences is controlled. It is not strange that results about the imbalance of BlumBlumShub sequences are obtained ten years after the proposing of the generator, since the imbalance problem of BlumBlumShub sequences seems to be related to some quite advanced topics in number theory [72]. Substantial progress on this problem has been made by Cusick who proved that the average imbalance for these sequences is no worse than what would be expected in a truly random bit string of the same length [72]. However, the imbalance problem for each individual BlumBlumShub sequence still remains open. Solving this problem might involve many more results in number theory. In this section we follow Cusick [72] to see how the average imbalance problem of BlumBlumShub sequences is related to Gauss' class number problem for imaginary quadratic fields, the lambda function and the Kronecker symbol. Let d and n be integers with d  0 or 1 (mod 4) and not a square, n > 0. The Kronecker symbol is defined by d 1. (n)  0 if gcd(d,n) > 1,
2. ( 7d ) 
1,
3. if d is odd, (d/2) = (2/Idl) , a Jacobi symbol, so (d) 
{ +1, 1,
r
dl or7 d  3 or 5
(mod8), (mod 8),
(14.18)
r
4. if n  Y I i = I p i then (d/n)  1  I i = l (d/pi), a product of Legendre symbols and, if n is even, the symbol (d/2). By the above definition the following basic properties are easily verified (see Hua [173, pp. 304306] or Rosen [305, pp. 6566]). 1. (~) 
2. (d 3.
if d is odd. d
d
14.8. BlumBlumShub Sequences & Class Numbers 4. ( d ) _ ( d ) i f m  (mod Idl).
341
d (mod I d l ) a n d ( ~d ) = (K) sign(d) if m =_  n
n
To go further, we need some results about quadratic fields. Any extension of the rational number field Q of degree 2 is called a quadratic field. It is easily seen t h a t any quadratic field K is of the form Q(O), where 0 is a root of a polynomial x 2  d with d r 1 and d a squarefree rational integer (positive or negative). The field is usually written as Q(x/d). If d and d' are not equal to 1 and squarefree, then Q(v/d) r Q ( v / ~ ) . The basic invariant of a quadratic field is its discriminant, which is defined to be d,
DK 
4d,
if d  1 (mod4), otherwise.
Since OK ~ 0 or 1 (mod 4) and K  Q(Ds/DK), a quadratic field is determined by its discriminant. It is easy to prove t h a t any element of Q(v/d) can be uniquely expressed as
a = x + yvrd, where x and y are rationals. The conjugate of a, written ~, is defined to be  x  yv/d, and the norm of a is N(a)  a ~  x 2  dy 2. An element a of a quadratic field is called an algebraic integer or integer if a satisfies a polynomial equation X2
"~ bx + c  O,
where b and c are rational integers. It is also easy to verify t h a t the set of integers OK of a quadratic field K  Q(v/d) forms a ring with respect to the addition and multiplication of the quadratic field K and is described by
OK
_ f z[(1 + 43)/2], zbF
,
if d  1 (mod4), otherwise.
An ideal I of the ring O K is called a principal ideal if there exists an integer a such t h a t I = ()~a : A C OK}. Two ideals/1 a n d / 2 are said to be equivalent if there is a principal ideal (a) such t h a t / 1 = (a)I2. These ideals are narrowly equivalent if the norm of a is positive. The class number, written h ( D g ) , is the number of ideal classes in the narrow sense in a quadratic field K = Q(x/~). We can also define the class number with respect to the usual equivalence relation. But for an imaginary quadratic field K  Q(x/~), i.e., d < 0, the two kinds of equivalence relations are the same, since N ( a ) > 0 for any nonzero a. The Dirichlet class number formula for the imaginary quadratic field K Q(yrd), where d < 0, is described by the following lemma (for proof, see Davenport [81]).
342
Chapter 14. PAdic Numbers, Class Numbers and
Sequences
L e m m a 14.8.2 Suppose D < O, D = 0 or I (mod 4), D not a square. Then the class number h(D) of the imaginary quadratic field with discriminant D is given by
h(D) 2191 j=l
where w(D)
6, 4, 2,
D = 3, D4, D < 4.
There is an intimate relation between the theory of quadratic forms and that of quadratic fields. Thus the class number defined in Section 12.5 is closely related to the class number here. For details we refer to Buell [42], Cox [70], and Borevich and Shafarevich [26]. Now we turn back to the imbalance problem of BlumBlumShub sequences and class numbers. Let A denote the r by A(A(N)) array whose ith row is the ith sequence in the list of sequences sa of length A(A(N)), where sa = {cj = a 2~ mod N " j 
1, 2, ..., A(A(N))}
and a runs through the integers satisfying 1 < a < N / 2 and gcd(a, N)  1. Each of the integers ci is a quadratic residue modulo N and so is a possible seed x0 for the BlumBlumShub generator. Cusick [72] observed the following three properties of the array A: 1. The array A includes exactly two copies of the first A(A(N)) terms of each sequence x ~ which can be produced by the x 2 mod N generator, since each quadratic residue modulo N has two square roots a modulo N in the interval 1 < a < N/2. 2. Each row of A contains at least one period of the corresponding sequence x ~176 since the period of x ~ divides A(A(N)). 3. Each column of A contains some permutation of two copies of the set
Sg{a 2modN"
gcd(a,N)l,l (Pi  1)/2 for i = 0 and 1, in order t h a t in every two consecutive updatings of the two registers of the two cyclic counters in the keystream generator there is at least one modulopi reduction;
15.1.
Prime32: A Description
349
KO
K1 (p 1,a 1) counter
(pO,aO) counter
I K2 ~ I
t
I
t
f
[
q
q
q ~
Linear permutation L(x)
t
KO ~ " ~ 
+
4
4
[
t
4
t ~
Linear permutation L(x)
I
[
Linear compression function l.&x)
@
(~
@
@
?
@
]
@
@
I
Linearpermutation L(x)
]
I
Linear permutation L(x)
]
~ G [
K1
I
I
plaintext block
~
!
I
K0 ~
i
Linear permutation L(x)
O

Q
~

O
( ~ ) "~
K1
K3
Bytewise xor ciphertext block
F i g u r e 15.1" S t r u c t u r e of t h e c i p h e r i n g a l g o r i t h m .
Chapter 15. Prime Ciphering Algorithms
350
2. they are different and the difference is large enough; 3. each ai is not too close to Pi; 4. they are primes (this leads to gcd(al,a2) = 1). Based on the above considerations we suggest the following two constants: a0 = 2345986071,
al 3124567807.
Of course, there are many such choices for the constants ai. The first layer is intended to control the least period and linear complexity of the keystream sequence. The second layer is a linear one that is for diffusion. The first, second, third, and fourth bytes of the contents of the two registers of the two cyclic counters are used as the inputs of this second layer. If X 0 , . . . , X7 are the eight input bytes of this layer, then its eight output bytes are defined by 7
Yj  ~
Xi  Xj, j  0, 1 , .  . , 7,
(15.1)
i0
where " + " and "  " denote the addition and subtraction of Z256. It is clear that the change of one byte leads to a change of seven of the eight output bytes of this layer. We use L(X) to denote this linear permutation. The third layer of the algorithm consists of eight Sboxes So, each of which is a permutation of Z256 with good nonlinearity with respect to the addition of the residue class ring Z256. This is the first nonlinear layer. The nonlinear permutation So is defined by
So(x) [(x 255 mod
257) mod 256], x e Z256.
The permutation x 255 = x 1 has good nonlinearity with respect to the addition of Z257. Computation proves that the above permutation So also has good nonlinearity with respect to the addition of Z25~. The approach to finding a good nonlinear permutation of Z256 here follows that used by Massey [237]. The fourth layer is the bytewise addition of the outputs of the third round and the partial keys /(2 and /(3. The outputs of the first four Sboxes So are added to the four bytes of K2, and those of the second four Sboxes So are added to the four bytes of Ka, where all additions are integer addition modulo 256. The fifth layer is a linear one that is exactly the same as the second layer. The sixth layer is again a keyaddition layer, but this time the partial keys K0 and K1 are added. This is expected to make it difficult to find some
15.1. Prime32: A Description
351
keyequivalence classes, by which we mean that they determine the same encryption transformation. The seventh layer is a nonlinear layer which is the same as the third one. The eighth layer is a linear layer which is the same as the second and fifth layers. The ninth layer is nonlinear and also for data expansion. It has eightbyte inputs, but 32byte outputs. Each box containing a symbol 14 denotes an array of four Sboxes in the order $1, $2, $3, $4. The four Sboxes are defined by Sl(x) S2(x)
= 

[x3 mod 257] mod 256, [X171 mod 257] mod 256,
S3(x)
=
[45 = mod257] mod 256,
$4 (x)

{ 128,[1~ x mod 257] mod 256,
ififxX_~t 0.0;
$3 and $4 are the two Sboxes used in SAFER [237]. As far as nonlinearity is concerned, 6'3 and 6'4 are good nonlinear permutations of Z256 with respect to the addition of Z256. $1 and $2 have also good nonlinearity, but not as good as $3 and 6'4. In fact, $1 and $2 have the same nonlinearity as So. However, it should be mentioned that the nonlinearity with respect to the bytewise xor of $1 and $2 is much better than that of $3 and $4. The nonlinearity of a permutation P(x) of Z256 with respect to the addition of Z256 is measured by the probability P r ( P ( x + a )  P(x)  b). When a  0, this probability is 1 or 0 and it is not interesting in any attack. So we are only interested in the case a 7t 0. Note that if P(x) is a permutation, the equation P ( x + a)  P(x)  0 has no solution. So for any fixed a 7t 0 we have maxPr(P(x + a) P(x)b#0
b ) > 2 / 2 5 6  1/128.
Hence 1__ 128
_< maxb#o P r ( P ( x + a)  P(x)  b) 17, we have 32 P r ( f ( x +" a) @ f ( x )  0)  32 P r ( f ( x +" (  a ) ) @ f ( x )  0). This shows t h a t f ( x ) has relatively much better nonlinearity with respect to (+", @) than to (+', @). It is possible for one function to have the same local nonlinearity with respect to many binary operations of the input and output Abelian groups. Let (G, +') and (H, +) be two finite Abelian groups. For any b E G, we define another binary operation + " of G by x +" y  x +' y +' b. Then it is easy to see that (G, + " ) is an Abelian group. function from G to H, then we have
Let f (x) be any
P r ( f ( x +" a)  S(x)  r)  P r ( f ( x +' a +' b)  f (x)  r). This means t h a t the local nonlinearity of f ( x ) at a with respect to the ( + ' , +) is the same as that at a +' b with respect to (+', +). Thus, every function from G to H has the same nonlinearity with respect to ( + ' , +) and (+', +). One of the most interesting general results about linear functions is Theorem 13.2.6, i.e.,
362
Chapter 16. Cryptographic Problems and Philosophies Table 16.1: An example of the relativity of nonlinearity.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
32 Pr(f(x +" a) @ f(x) = 0) 10 12 22 8 18 20 14 16 18 12 14 22 10 20 22 0
32 Pr(f(x +" a) @ f(x) = 1) 22 20 10 24 14 12 18 16 14 20 18 10 22 12 10 32
For every nonzero linear function L(x) from F  GF(q m) to K GF(q) with respect to (F, +) and (K, +), its nonlinearity with respect to (F*, x) and (K, +) is optimal. This shows another cryptographic significance of linear functions. It tells us that these linear functions are very good nonlinear functions provided they are used properly. Summarizing this section, we see that linear functions are cryptographically important in 1. achieving "diffusion"; 2. controlling the density of cryptographic transformations specified by keys; 3. serving as good nonlinear functions in a suitable context.
16.2
Stability and Instability
Stability problems are everywhere and all around us. Every one has to stabilize his/her relations with most of the people around him/her. We have the problem of stabilizing the world. Every country has its own stability problems, which include the stability of the general welfare by taxing, the stability
16.2. Stability and Instability
363 system parameters
!
input .~1
system functions
output
Figure 16.1: A description of cryptographic systems.
of political rights and social order by law, and stability among individuals and among different social classes. Similarly, every family has also its own stability problems. Generally, we may say that every system has its stability problems, so do cipher systems.
16.2.1
Stability and Diffusion
Many systems can be described with Figure 16.1, where whenever an input is given, a corresponding output is produced by the system, using functions which are controlled by the system parameters. One important stability problem of such systems is the study of changes in the output when the input is changed. Suppose that each input is taken from a metric space (I, +, I.I1), and each output is from a metric space (O, +, [12), where (I, +) and (O, +) are Abelian groups with norms [.[1 and [.[2 respectively. Furthermore, supwhere pose that the system has only one system mapping F ( k l , . . . , k , . , i ) , k = ( k l , . .  , kr) denotes the system parameter, which is supposed to be taken from another metric space (K, +, [.[3). Then there are two basic stability problems about the system. One is the study of the ratio
A F ( i l , i 2 ) __ IF(k, il)  F ( k , i2)12
[il i2[1
(16.3)
where k is a fixed element of K. This is a measure of the extent of change in the output relative to the change in the input, which is a stability problem for many such systems. Another stability problem is how sensitive the system is to parameter changes, which can be measured by A F ( k , k')  [F(k' i)  F ( k ' , i)]2 i k _ k,13 ,
(16.4)
where i is fixed. For many such continuous systems, calculus can be used to treat the two stability problems. Derivatives are measures of such stabilities. For discrete systems some mathematical tools which are analogous to calculus are needed to treat these two stability problems. The stability of the solution of some linear systems is one example of such problems.
364
Chapter 16. Cryptographic Problems and Philosophies
Every cipher system may be described by the system of Figure 16.1, where the inputs are plaintexts, the outputs are ciphertexts and the system parameters are keys and/or the initial values of the internal memory state. The system functions are those which give the encryption transformation. For block ciphers, inputs and outputs are blocks of digits, say p  ( p o , p l , ' " ,Prol) is a plaintext block and c  (co, C l , . . . , cn1) is the corresponding ciphertext block. Let E be the block encryption algorithm and E(k, .) the encryption transformation specified by a key k; then we have the relation
c = E(k, p).
(16.5)
For the sake of simplicity, we assume that both plaintext blocks and ciphertext blocks are taken from (GF(2) n, +, I.I), where I.I denotes the Hamming weight. To guide the design of practical ciphers, Shannon suggested two general principles, which he called diffusion and confusion [329]. By diffusion, he meant the spreading out of the influence of a single plaintext digit over many ciphertext digits so as to hide the statistical structure of the plaintext. An extension of this idea is to spread the influence of a single key digit over many digits of ciphertext so as to frustrate a piecemeal attack on the key. Thus, the concept of diffusion suggested by Shannon and its extension are in fact two kinds of instabilities which can be measured by (16.3) and (16.4) respectively, where F is the encryption algorithm. This means that Shannon's diffusion and its extension suggest designing ciphers which are not too stable with respect to both plaintext and keys. However, if we use (16.3) and (16.4) to measure the plaintext diffusion and key diffusion, it may be mathematically proven that there is a tradeoff between the extent of plaintext (key) diffusion and the nonlinearity of the encryption function E ( k , p ) with respect to the additions of (P, +) ((K, +)) and (C, +), where (P, +), (K, +) and (C, +) are respectively the plaintext block space, key space and ciphertext block space. This tradeoff can be seen from the discussion of Section 16.3. It follows that we have to make a compromise between diffusion and nonlinearity of the encryption transformations when designing ciphers. By confusion, Shannon meant the use of enciphering transformations that complicate the determination of how the statistics of the ciphertext depend on the statistics of the plaintext. Thus, the nonlinearity of the enciphering transformations may be used as a partial measure of confusion. If it is rational to do so, this means there is a tradeoff between diffusion and confusion within a block cipher. Another cryptographic stability function is the linear complexity stability of sequences which is described in Section 2.3.4.
16.2. Stability and Instability 16.2.2
365
Stability of Local N o n l i n e a r i t i e s and Differences
According to the definition of local and global nonlinearities in Section 16.1, we have
Pi(a) = 1.
(16.6)
a
This is a kind of conservation between the local nonlinearities. Thus, it is necessary to keep the stability of the local nonlinearities, by which we mean the balance between the local nonlinearities. Generally speaking, stability problems exist whenever conservations exist. Recall the difference parameters defined in Section 4.2.1, where three kinds of conservations have been given, i.e.,
ZdI(i'j;w)
IC(f)il'
i E G , w E ZN;
J
Zds(i'j;w)
 ]C(.f)jI, j E e , w E ZN;
i
df (i, j; w)  N, w E ZN, i,j
where f is a function from ZN to G, and G is an Abelian group. These conservations show the necessity of keeping the stability (balance) between the difference parameters.
16.2.3
Correlation Stability and P a t t e r n Stability
To see the conservation between correlations, we take the autocorrelation of binary periodic sequences as an example. Recall the definition of the autocorrelation function ACs(/) of a binary sequence s ~176 of period N, which is defined by N1
ACs(/)  ~
(  1 ) s'+s'+'/N.
i=0
Let n denote the number of l's in one period of the sequence; then we have N1
AC (l) ( 2 n 
1.
/=1
This means that the autocorrelations of sequences of period N with a fixed number of l's in one period are conservative. Thus, keeping their stability is necessary.
Chapter 16. Cryptographic Problems and Philosophies
366
As derived in Section 2.3.2, there is a conservation law of patterns in the period of a periodic sequence. Thus, keeping the stability of patterns in a periodic sequence is also necessary. The relation of autocorrelation stability and pattern stability has already been made clear in Section 2.3.2.
16.2.4
M u t u a l Information Stability
To show the stability of mutual information between keys and keystream digits, we consider now the binary NSG of Figure 2.5(b) [98]. Theoretically every bit of a keystream can give information about a generator's initial state and the key. Thus a basic requirement for stream ciphers is that every bit of keystream gives approximately the same amount of information. In our case, this yields balance requirements for the filter function f ( x ) . This single bit analysis is apparently applicable to all synchronous stream ciphers. Let C i : {X e Z N : f ( x )  i} for i = 0, 1. If n = log 2 N, we can write
I(k; ho  O)  n  log 2 IC01 bits, I(k; ho  1)  n  log 2 ICll bits. Noticing that IC01 + I C l l  N, we get
2 nI(k;h~
"+" 2 n  I ( k ; h ~
 N .
This is the theoretical basis for keeping the mutual information stability of a keystream bit and the key as flat as possible. If we now consider two bits hi and hj separately or arbitrarily, we may not obtain I(k; hi) + I(k; hi) bits of information about the key. If the cipher is not properly designed, some combinations of bits may give much more information about the key than others. We call such combinations with their length (hi, hi, l i  jl)'s bad patterns. The idea behind the differential attack on this generator [98] is to look for bad patterns, and in particular for triples (i, j; w) which give as much information about the key as possible. One may argue that we should design our cipher so that the mutual information I(k; (i, j; w)) is as small as possible for all (i, j; w) C Z2 x Z2 x ZN, but in fact we cannot achieve this: One pattern (i, j; w) E Z2 x Z2 x ZN gives I  n  log 2 d/(i, j; w) = n  log 2 ]Ci N (Cj  w)l bits of information about the key. Now consider the following theorems:
16.3. Localnessand Globalness
367
T h e o r e m 16.2.1 (Conservation Law for Difference Parameters) With the symbols as before, we have d f ( i , j ; w )  ] C i ] , i E Z2, w E ZN; J d f ( i , j ; w )  I C j l ; j E Z2, w E
ZN;
i
d I ( i , j ; w)  N, w E ZN. (i,j) E Z2 x Z2
These are the laws of conservation between difference parameters which appear in three forms. By this theorem we have the following conclusion: T h e o r e m 16.2.2 ( C o n s e r v a t i o n Law of Mutual Information) With the symbols as before, we have 2 nI(k;(i'j;w))  I C i l , i E Z2, w E
ZN;
J 2nI(k;(i'j;w))
j E Z2, w E ZN;
ICj];
i 2nI(k;(i,j;w))
= N, w E
ZN;
( i,j ) E Z2 x Z2 2 n _ i ( k ; ( i , j ; w ) ) _ N 2.
(i,j;w) It is not difficult to prove the above theorems, which provide the theoretical basis for analyzing mutual information stability between twobit patterns and the key. Generalizing the above theorems to the case of an arbitrary finite G is also straightforward. For other generators there will usually also exist conservations of some mutual information. Thus, it is important to discover those conservations and to make compromises. Asking too much gain in one sense without considering the possible loss in another sense could be dangerous. 16.3
Localness
and
Globalness
One of the most troublesome problems in cryptography may be the control of some local cryptographic properties, such as local linear complexity, local sphere complexity and local density of cryptographic transformations and so forth. We analyze some cryptographic properties of the designed key stream within one period, which is usually very large, but we use only a very small
368
Chapter 16. Cryptographic Problems and Philosophies
part of each key stream. Thus, local properties are in general much more important than global ones. We begin with densities of cryptographic transformations (briefly, transdensity or Tdensity [98]). Let M be the plaintext space, C the ciphertext space, K the key space and TK the set of encryption or decryption transformations specified by the keys. Then the transdensities are defined by Pr(tk, tk,)
D o ( T , K ) = 1  maxPr(tk, tk,)/IKI, k,k'
where Pr(tk,tk,) denotes the probability of agreement between the two encryption or decryption transformations specified by the two keys, which is usually replaced by d(tk, tk,)/IMI for simplicity, where d(tk, tk,) denotes the distance between tk and tk,. The introduction of transdensities was inspired by the following three cryptographic questions. Q u e s t i o n 16.3.1 To break a cipher or to decipher a piece o] ciphertext, do we have to recover the original key? Q u e s t i o n 16.3.2 Are the encryption transformations and decryption trans]ormations specified by the keys really "different" ]rom one another? Q u e s t i o n 16.3.3 When the answer to Question 16.3.2 is "yes", for a given key k, is there any key k' E K such that the probability of agreement Pr(tk, tk,) or the distance d(tk, tk,) is small enough? If there are such keys, which ones are they and how many are there? The importance of the questions is clear, as attacks may involve trying partial keys. That they are practical, follows from the fact that the M209 cipher machine had large equivalence classes of keys. However, it seems that for most proposed ciphers the above three questions have not been answered. The transdensity is related to partialkey attacks, key density, key size, message density, message and cryptogram residue classes, perfect secrecy, autocorrelation and crosscorrelation functions of sequences, difference sets, difference property of partitions, nonlinearity of cryptographic functions, affine approximation of functions, mutual information stability and source coding. Thus, the importance of transdensities is clear. However, it follows from the definition that D(T, K) is a global property of the cryptographic transformations. Theoretically, many enciphering transformations may be different, but practically they may be the same, since the block length of most proposed block ciphers is quite large. Intuitively, the
16.4. Goodness and Badness
369
larger the block length, the more difficult it is to control local properties of cryptographic systems. The linear complexity of key streams is clearly a global property. The local linear complexities of a key stream are more important, but they are usually difficult to control. We have same problems for sphere complexity. 16.4
Goodness
and
Badness
Before discussing problems concerning goodness and badness, we should agree on what "goodness" and "badness" mean. Unfortunately, we cannot give strict mathematical definitions for goodness and badness. It is clear that these two concepts are relative. Nevertheless, this does not mean that there is no distinction between goodness and bs The first point of the relativity of goodness and badness is that they are comparative concepts. When we say that something is good, we mean that it is good relative to a specific thing or a set of specific things. Goodness and badness are also relative to 1. the aspect from which a thing is considered, 2. the context in which a thing occurs, 3. the time at which a thing occurs, 4. the purpose for which a thing is used. These facts may be illustrated by the following cryptographic examples. As shown in Section 16.1, it is very hard to decide whether linear functions are cryptographically good or bad. It depends on the system in which they are used and how they are used. This may indicate that it is necessary to discuss the cryptographic properties of some building blocks, but to conclude their cryptographic values without specific context may not be reasonable. Now we turn to primes. Many ciphers are based on numbers and, in particular, on primes. Thus, primes are building blocks of many ciphers. Similarly, it may be impossible to say which primes are cryptographically good or better without giving specific cryptographic contexts. Mersenne primes are cryptographically bad when they are used as periods of binary sequences due to the fact the order of 2 modulo a Mersenne prime 2 m  1 is m, but they are good as periods of sequences over some other fields. Primes for RSA and those for stream ciphers are different in some aspects (see Section 5.10), and primes for different keystream generators are also required to have some special properties. Summarizing the section, we conclude that many possible cryptographic building blocks have both good sides and bad sides with respect to specific
Chapter 16. Cryptographic Problems and Philosophies
370
i
Cipher C1
I
~1
Cipher C2
t
t (~)
"I
Cipher Cl
T,
i
I
"~1
Key source
Cipher C2
]
I
T
(b) Figure 16.2" (a)" a cascade of two ciphers. (b)" a product of two ciphers.
contexts. What a cryptographer does is to find those good and bad sides with respect to some considerations and to use those good and bad sides in a proper way.
16.5
A b o u t Good plus G o o d
Before discussing the topic, let us agree that we have a measure of goodness for some cryptographic building blocks with respect to some cryptographic aspect. Given the definition of plus as some kind of combination of two cryptographic building blocks, then does "good plus good" give good? This depends on the measure of goodness and the definition of plus together with the two building blocks. The answer could be both "good" and "bad". The bitwise modulo2 sum of two sequences with large linear complexity may give a new sequence with very small linear complexity or with large linear complexity. Also let f(x) be a mapping from an Abelian group (A, +) to an Abelian group (B, +), and let g(x) be a mapping from (B, +) to an Abelian group (C, +). Assume that f and g have good nonlinearity with respect to [(A, +), (B, +)] and [(B, +), (C, +)] respectively. Then the composition function h(x) = g(f(x)) may have good or bad nonlinearity with respect to [(A, +), (C, +)]. Concerning the pattern distribution and difference property of sequences we have the same conclusion. Now the problem is how to develop techniques which ensure "good plus good = good." We now turn to the cascade of ciphers. Cascade ciphers and product ci
16.6. About Good plus Bad
371
phers can be depicted by Figure 16.2(a) and 16.2(b) respectively [240]. The distinction between cascaded ciphers and product ciphers [240, 329] is that in the latter the keys of the component ciphers need not be statistically independent, where they are in the former. Assume that ciphers C1 and C2 are good ciphers with respect to some specific security measures and cascade is considered as a kind of plus. Then one question is whether we have "good plus good =good", or equally whether the cascaded cipher is good with respect to those specific security measures. For details about this problem we refer to Maurer and Massey [240]. Iteration is the most used technique in designing block ciphers. Many block ciphers are based on the iteration of a round function several times. It is usually easy for us to control some cryptographic properties of the round function or that of the Sboxes of the round function, but very difficult to control those of the cryptographic transformations due to the iterations. For example, for many block ciphers, we do not even know how many fixed points their enciphering transformations have. This is one of the basic cryptographic problems we should solve, since ciphers whose cryptographic transformations have many fixed points are not secure. Summarizing this section, we conclude that "good plus good" could be "good" or "bad", given the definitions of "good" and plus. The most important problem is to develop techniques that ensure "good plus good  good," which is usually not easy. Of course, the techniques depend on what the measures of goodness and plus are. For example, if we consider the bitwise modulo2 sum of two binary sequences and take the size of the linear complexity as a measure of goodness, then one technique to ensure "good plus good  good" is to ensure that the minimal polynomials of the two sequences are relative prime. Consider now the composition of mappings, which is used in many ciphers. This is to say that here plus is defined to be the mapping composition. Taking the nonlinearity of mappings as the measure of goodness, we ask the question as to how to develop techniques for ensuring "good plus good = good," that is, how can we develop techniques to ensure that the composition mapping of two mappings with good nonlinearity has also good nonlinearity?
16.6
About
Good
plus Bad
At a first glance we may have the impression that this is very similar to "good plus good". This is however not true. In fact it is easy to give examples of "good plus bad  good", but difficult to find examples of "good plus bad bad". One example for the latter case is the bitwise product of two binary sequences when the balance between l's and O's within one period is taken as the measure of goodness. Generally, whether "good plus bad" gives "good"
372
Chapter 16. Cryptographic Problems and Philosophies
depends on the measure of goodness and whether the "plus" has a tendency to preserve "goodness." However, it should be pointed out that we do not know whether "good plus bad" gives "good" in most cases. Thus, techniques for ensuring "good plus bad  good" are needed. One of the main techniques employed in this book is the use of a mapping with good nonlinearity together with a (almost) linear function to get another mapping with good nonlinearity. This technique has been used frequently in Chapter 7, Chapter 10 and Chapter 13. 16.7
About
Bad
plus Good
It is not hard to see that "bad" plus "good" could give "bad" or "good". To illustrate this, we consider the composition of two mappings and take nonlinearity as a measure of goodness. Let a be a nontrivial linear onto mapping from an Abelian group (F, +) to another one (G, +), and let f~ be an onto mapping from (G, +) to a third Abelian group (H, +). Then the composition mapping defined by ~ ( x )  ~(~(x)),
xeF
is a mapping from F to H. For any g E G define
Fg  {x E F " a(x)  g}. Since a is a linear onto mapping, (F0, +) must be a subgroup of (F, +) with IFI/IG] elements. It is also easily seen that UgEGFg  F~
Fg 1 M E g 2  ~ for gi ~ g2.
Since a is constant on every Fg, for f E F and h E H we have I{x E F " ) , ( x + f )  ~ ( x ) =
where g 
 h}I ]{x E F ' Z ( o ~ ( x ) + a ( f ) )  / ~ ( a ( x ) )
_
IFI

IG I ]{y E G"/~(y + g ) /~(y)  h}I,
 h}]
a ( f ) . Hence Pr(~(x + f)  ~ ( x )  h)  Pr(/~(y + g)  / ~ ( y )  h).
Thus, if IFI  IGI, then the nonlinearity of 7 is the same as that of ~. In this case, we have "bad plus good  good" and "bad plus bad  bad". However, if ]FI/IG ] is quite large, the nonlinearity of ~, is much worse than that of ~. In this case, we have "bad plus bad  bad" and "bad plus good bad". Thus if we are going to have goodness, we have to pay for it.
16.8. 16.8
Hardware and Software Model Complexity Hardware
and
Software
Model
373 Complexity
In stream ciphers the linear complexity (linear span), quadratic span, and 2adic span are based on the linear feedback shift register model, the quadratic feedback shift register model, and the feedback with carry shift register model, respectively. These complexity measures are based on special hardware circuits which are usually quite efficient. These generators can be used as complexity models for producing sequences over a finite field (GF(2) in the case of 2adic span) because every ultimately periodic sequence over the field can be generated by such a generator by choosing proper design parameters. However, to use the least amount of memory in such a special generator as a security measure, we have to have an "efficient" algorithm to determine the design parameters or initial loading with which the generator produces a given sequence. With respect to the LFSR model, we have the efficient BerlekampMassey algorithm. With respect to the FCSR model, we have also an efficient algorithm, the rational approximation algorithm. Although every periodic sequence can be generated by the NSG in Section 2.2.1, it cannot be used as a security model since we haven't found an efficient algorithm to determine the initial loading with which it produces a given sequence. For simple and efficient hardware models the main problem is the memory size, since in such a model the computational complexity is very small due to the speciality and simplicity of the models. Of course, the computational complexity of the model usually increases when the size of memory does. It is also possible to produce every ultimately periodic binary sequence with the software algorithm of Section 14.2. Theoretically every ultimately periodic sequence can be produced with a similar algorithm by a proper selection of the input parameters p and q. To use the smallest memory, the input parameters should be reduced. Due to the 2RA algorithm of Section 14.6, the index defined by A2(p, q) = [log IP[] + [log [q[] should be a software complexity for the 2adic expansion sequence of the rational number p/q, where p/q is reduced. The above measure A2(p,q) is really an analogue of the usual linear span, which behaves slightly differently from the 2adic span. This software model of complexity for binary ultimately periodic sequences is with respect to the specific algorithm of Section 14.2, where the number of computations needed is very small. The 2RA algorithm indicates that it should be a security measure. This is a software 2adic span. In some cases a software complexity could be much more convenient and reasonable than a hardware one based on some awkward hardware model. With the advent of powerful computers, software model complexities with respect to some algorithms seem to be more promising. We should be aware
374
Chapter 15. Cryptographic Problems and Philosophies
of the fact that the linear span can be defined without the LFSR hardware model. It existed long before the electronic age. Similar to hardware model complexities, software model complexities must be relative to an algorithm. The algorithm should usually be efficient in software; in this case the software complexity should be mainly based on the memory size. There are also some other complexity models and security measures based on hardware models, which are used not to produce the original sequence, but to produce a sequence which is almost the same as the original sequence. The linear complexity (linear span) of a sequence could be very large, but it could be possible to use a very small linear feedback shift register to produce another sequence which is almost the same as the original sequence. The sphere complexity (see Section 2.3.4) is based on the LFSR hardware approximation model [94, 97]. Notes
on Sequences
As this book is mainly about keystream sequences and number theory, we cannot cover other aspects of sequences. In this note we give some other information on sequences. For linear complexity profiles of sequences we refer to Dai [75], Niederreiter [257, 258, 259, 260], Niederreiter and Vielhaber [259, 261,263]. Information on the linear complexity and minimal polynomials of the products of sequences can be found in Zierler and Mills [400], Herlestam [167], and Gbttfert and Niederreiter [141, 142], where the relation between HasseTeichmiiller derivatives and products of sequences is established. The linear complexity of bent sequences is discussed by Kumar and Scholtz [202]. Information on integer sequences can be found in the two books by Sloane [339] and Sloane and Plouffe [340]. The book by Golomb [139] is devoted to shiftregister sequences. Information on sequences with lower correlation can be found in Helleseth and Kumar [164], Sarwate [313], Klapper [189], No and Kumar [266], and No [267]. For clockcontrolled sequences we refer to Gollmann [133, 134], Gollmann and Chambers [135, 136], and Smeets [341, 342] for detailed references. Sequences over rings are interesting in both theory and applications. Information on this topic is available from Klove [194, 195, 196], Dai, Beth, and Gollmann [76]. Design and analysis of geometric sequences are carried out by Chan and Games [55], and Klapper [188]. For the existence of secure keystream generators, see Klapper [192].
Appendix A More A b o u t Cyclotomic N u m b e r s
The cryptographic importance of cyclotomic numbers has been seen in some of the preceding chapters. Formulae for the cyclotomic numbers of orders 2, 3, 4, 5, 6 [851; 7 [219]; 8 [211]; 9 [13]; 10 [387]; 11 [220]; 12 [386]; 14 [254]; 15 [41]; 16 [385, 120]; 18 [13]; 20 [255]; 24 [121], are already known. Some of these cyclotomic numbers have been already introduced in Chapter 4. Due to the cryptographic importance of cyclotomic numbers, we make some notes about those which have not been introduced in Chapter 4. Formulae for some cyclotomic numbers are also given here. Others are too long to present here. A.1
Cyclotomic
Numbers
of Order
7
The cyclotomic numbers of order seven, calculated by Leonard and Williams [219], can be given in terms of the solutions of certain triple of Diophantine equations, analogous to the expressions for the cyclotomic numbers of order 5 in terms of the solutions of a pair of Diophantine equations (see for example [386]). To introduce the cyclotomic numbers, we need the following result about Diophantine equations due to Leonard and Williams [218, 219]: P r o p o s i t i o n A.1.1 If p  1 (mod 7) then there are exactly six integral simultaneous solutions of the triple of Diophantine equations 2 2 72p = 2x 21 t 42(x 22 + x 2a + x4) + 343(x 25 + 3x6), 12x~  12x i + 147x i  4 4 1 x ~ + 56XlX6 +24x2x3  24x2x4 + 48xax4 + 98XsX6 = 0, 12x32  12x~ + 4 9 x ~  147x 2 + 28XlX 5 +28XlX6 W 48x2x3 + 24x2x4 + 24x3x4 + 490xsx6  0,
satis]ying Xl  1
(mod 7), distinct from the two "trivial" solutions (6t, •
=k2u, =t=2u, 0, 0), 375
(A.1)
Appendix A. More About Cyclotomic Numbers
376
where t is given uniquely and u is given ambiguously by
p = t 2 + 7 u 2, t  1
If
(Xl,
" " "
(mod7).
(A.2)
, x6) is a nontrivial solution with X l  1
(mod 7) then others are
given by
(Xl,x3,x4,x2, (  x 5

3x6)/2, (x5

x6)/2)
and
( X l ,  x 4 , x 2 ,  x 3 , (  x 5 + 3x6)/2, (x5  x6)/2). Each of the other three can be obtained from one given above by changing the signs of x2 , x3 , x4 .
The following wellknown relations about cyclotomic numbers (h, k) = (h + ae, k + be) for any integers a and b, (h, k) = (k, h) if f is even, (h, k) = (e  h, k  b) yield the following matrix [346, 219] A B
C D E F G
B G H I J K H
C H
F K L L I
D I K E J L J
E J L J D I K
F
G
K
H
L L I C H
I J K H B
(A.3)
in which the letter in the hth row and kth column, h, k = 0, 1, 2 , .   , 6, represents the value of (h, k). Thus the 49 cyclotomic numbers of order 7 reduce to the determination of the 12 quantities A, B, C, D, E, F, G, H, I, J, K, L. By making use of the Jacobi sum J ( m , n) and the DicksonHurwitz sums of order 7, Leonard and Williams got the following results about the 12 constants. P r o p o s i t i o n A.1.2 Let p  1 (mod 7) be a prime. If ( X l , . . . , x 6 ) is any nontrivial solution of (A.1) with Xl  1 (mod 7) and (t, u) is the solution of (A.2) and the sign of u is chosen to satisfy u_=3x2+2x3
(mod7).
A.2. Cyclotomic Numbers of Orders 9, 18
377
T a b l e A . I : T h e r e l a t i o n s b e t w e e n t h e c y c l o t o m i c n u m b e r s of o r d e r 9.
k/h
0
1
2
3
4
5
6
7
8
0 1 2 3 4 5 6 7 8
00 01 02 03 04 05 06 07 08
01 08 12 13 14 15 16 17 12
02 12 07 17 24 25 26 24 13
03 13 17 06 16 26 36 25 14
04 14 24 16 05 15 25 26 15
05 15 25 26 15 04 14 24 16
06 16 26 36 25 14 03 13 17
07 17 24 25 26 24 13 02 12
08 12 13 14 15 16 17 12 01
. . . .
Then ]or some primitive root g of p the cyclotomic numbers of order 7 are given by (A.3) and 49A = p
20
588B = 12p
12t + 3Xl, 72 + 24t + 168u  6Xl + 84x2  42x3 + 147x4 + 147x6,
5 8 8 C = 12p  72 + 24t + 168u  6Xl + 84x3  42x4  294x6, 5 8 8 D = 12p  72 + 24t  168u  6 x l + 42x2 + 84xa  147x5 + 147x6, 588E = 12p
72 + 24t + 168u  6 x l  42x2  84x4  147x5 + 147x6,
5 8 8 F = 12p  72 + 24t  168u  6Xl  84x3  42x4  294x6, 588G = 12p
72 + 24t  168u  6Xl  84x2 + 42x3 + 147x5 + 147x6,
5 8 8 H = 12p + 12 + 24t + 8Xl  196x5, 5 8 8 I = 12p + 12  60t  8 4 u  6Xl + 42x2 + 42x3  42x4, 5 8 8 J = 12p + 12 + 24t + 8 x l + 98x5  294x6, 5 8 8 K = 12p + 12  60t + 8 4 u  6Xl  42x2 + 42x4, 5 8 8 L = 12p + 12 + 24t + 8Xl + 98x5 + 294x6.
A.2
Cyclotomic N u m b e r s of Orders 9, 18
T h e c y c l o t o m i c n u m b e r s of o r d e r s n i n e a n d e i g h t e e n w e r e d e t e r m i n e d b y B a u m e r t a n d F r e d i c k s o n in 1967 [13]. T h e r e l a t i o n s b e t w e e n t h e 81 cyclot o m i c c o n s t a n t s a r e g i v e n b y T a b l e A.1. T h u s , t h e 81 p o s s i b l e c y c l o t o m i c n u m b e r s r e d u c e t o j u s t 19 d i s t i n c t ones. E a c h c y c l o t o m i c n u m b e r of o r d e r s 9 a n d 18 is e x p r e s s e d as a c o n s t a n t p l u s a l i n e a r c o m b i n a t i o n of p, L , M , C o , . . . , c5 w h e r e 4p = L 2 + 2 7 M 2, L  7 ( m o d 9) a n d (/~ b e i n g a p r i m i t i v e
378
Appendix A. More About Cyclotomic Numbers
9th root of unity)
is a factorization of p in the field of 9th roots of unity. The formulas for cyclotomic numbers of order 9 are relatively simple. But the tables of cyclotomic numbers of order 18 are too large to present [13], which were deposited in the unpublished mathematical tables file maintained by Mathematics of Computation. However, the relations between the cyclotomic constants of order 18 and some selected cyclotomic numbers can be found in the tables in [13]. The application of those cyclotomic numbers to the determination of residue difference sets has also been discussed in that paper. A.3
Cyclotomic
Numbers
of Order
Eleven
The basic work for evaluating the cyclotomic numbers of order 11 was laid by Dickson [85, 87]. A complete treatment of the cyclotomic numbers of order eleven was given by Leonard and Williams [219]. Let p  l l f + 1 be a prime with f even. Based on the basic relations among cyclotomic numbers, the 121 cyclotomic constants are reduced to 26 quantities as in the following matrix, and the relations about the 121 constants are described by A B C D E F G H I J K
B K L M N O P Q R S L
C L J S T U V W X T M
D M S I R X Y Z Y U N
E N T R H Q W Z Z V O
F O U X Q G P V Y W P
G P V Y W P F O U X Q
H Q W Z Z V O E N T R
I R X Y Z Y U N D M S
J S T U V W X T M C L
K L M N O P Q R S L B
The evaluation of the cyclotomic numbers of order 11 is based on the solutions of a set of Diophantine equations. We refer to [219]. A.4
On
Other
Cyclotomic
Numbers
Based on the Jacobi sum, Musknt carried out the cyclotomic numbers of order fourteen, and investigated their application to residue difference sets [254].
A.5. Behind Cyclotomic Numbers
379
The Jacobi sums of order 15 were evaluated by Dickson and Muskat. Based on these evaluations, Bucks, Smith, Spearman, and Williams obtained the DicksonHurwitz sum of order 15. Then they expressed each cyclotomic number in terms of the DicksonHurwitz sums, and finally obtained explicit formulas for the cyclotomic numbers of order 15 using the values for the DicksonHurwitz sum. For details we refer to [41]. The cyclotomic numbers of order sixteen were treated by Whiteman in [385], where a table of formulas for (i, 0) was given. In [120] Evans and Hill gave a complete table of the formulas for the cyclotomic numbers of order sixteen. Each number is expressed as a linear combination of parameters of quartic, octic, and bioctic Jacobi sums. Applications of these formulas were also discussed. Complete formulas for the cyclotomic numbers of order twenty were derived by Muskat and Whiteman [255]. The application of those cyclotomic constants to residue difference sets has also been discussed in that paper. The cyclotomic numbers of order 24 were calculated by Evans [121, 122]. According to [121], there are 48 tables, and each of the 48 tables contains 109 formulas . A.5
Behind
Cyclotomic
Numbers
It is interesting to note that cyclotomic formulas have the same form. Behind this uniformity of known cyclotomic numbers is the Riemann Hypothesis for Curves over Finite Fields, which can be described as follows. T h e o r e m A.5.1 Suppose that F(x, y) is a polynomial of total degree d, with coefficients in GF(q) and with N zeros (x, y) E GF(q) x GF(q). Suppose that F(x, y) is absolutely irreducible, i.e., irreducible not only over GF(q), but also over every algebraic extension thereof. Then
IN  ql