a survey on recursive nonlinear pseudorandom number …
TRANSCRIPT
A Survey on Recursive Nonlinear
Pseudorandom Number Generators
Arne Winterhof
Austrian Academy of SciencesJohann Radon Institute for Computational and Applied Mathematics
Linz
MCQMC 2012
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 0 / 24
Pseudorandom Numbers
Numbers which are generated by a deterministic algorithm and ’lookrandom’ are called pseudorandom.
Desirable ’randomness properties’ depend on the application!
cryptography:unpredictability → high linear complexity
numerical integration (Monte Carlo):uniform distribution → low discrepancy
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 1 / 24
Pseudorandom Number Generators
A pseudorandom number generator is a sequence (sn) over a finitefield Fq (or residue class ring Zm).Here we consider only Fp with p prime.
We derive pseudorandom numbers in Z or in [0, 1) in the followingway:Identify Fp with {0, 1, . . . , p − 1}.
xn = sn/p ∈ [0, 1)
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 2 / 24
Part I: Predictability, Linear Complexity, and Lattice Structure
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 3 / 24
Linear Complexity
The linear complexity L(sn) of a periodic sequence (sn) over Fp is thesmallest positive integer L such that there are constantsc0, . . . , cL−1 ∈ Fp with
sn+L = cL−1sn+L−1 + . . . + c0sn, n ≥ 0.
For a positive integer N the Nth linear complexity L(sn,N) of asequence (sn) over Fp is the smallest positive integer L such thatthere are constants c0, . . . , cL−1 ∈ Fp satisfying
sn+L = cL−1sn+L−1 + . . . + c0sn,
0 ≤ n ≤ N − L− 1.
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 4 / 24
Linear Pseudorandom Number Generators
a, b, x0 ∈ Fp, a 6= 0
xn+1 = axn + b, n ≥ 0
– predictable (L(xn) ≤ 2)
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 5 / 24
(Recursive) Nonlinear Pseudorandom Number
Generators
f ∈ Fp[X ], 2 ≤ deg(f ) ≤ p − 1, x0 ∈ Fp
xn+1 = f (xn), n ≥ 0
(purely) periodic with period t ≤ p
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 6 / 24
Lower Bound on the Linear Complexity Profile
Gutierrez/Shparlinski/W. 2003:The linear complexity profile of a nonlinear sequence (xn) defined by
xn+1 = f (xn), n = 0, 1, . . . ,
with a polynomial f ∈ Fp[X ] of degree d ≥ 2, purely periodic withperiod t, satisfies
L(xn,N) ≥ min {dlogd(N − blogd Nc)e, dlogd te} .
Reason for weak result: The degrees in the sequence of iteration of f
f0(X ) = X , fk+1(X ) = f (fk(X )), k ≥ 0
grow exponentially.
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 7 / 24
L∑l=0
clxn+l = 0, 0 ≤ n ≤ N − L− 1, cL = −1
F (X ) =∑L
l=0 cl fl(X ) of degree dL has at least min{N − L, t} zeros.
dL ≥ min{N − L, t}
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 8 / 24
Inversive Generators
a, b, y0 ∈ Fp, a 6= 0
yn+1 = ayp−2n + b =
{ay−1
n + b, yn 6= 0,b, yn = 0.
Gutierrez/Shparlinski/W. 2003:
L(yn,N) ≥ min
{⌈N − 1
3
⌉,
⌈t − 1
2
⌉}
Reason for better result:f (X ) = bX+a
X, fj(X ) =
ajX+bjcjX+d
(still predictable and not suitable for cryptography but for MC)
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 9 / 24
Power Generator
f (X ) = X e
Griffin/Shparlinski, 2000:
L(pn,N) ≥ min
{N2
4(p − 1),
t2
p − 1
}, N ≥ 1.
Reason for better result: fk(X ) = X ek mod p−1
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 10 / 24
Dickson generator
De(x + x−1) = xe + x−e , x ∈ Fp2
un+1 = De(un), n ≥ 0,
with some initial value u0 and e ≥ 2.Aly/W. 2006:
L(un,N) ≥ min{N2, 4t2}16(p + 1)
− (p + 1)1/2
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 11 / 24
Other nice nonlinear generators
Redei generator, Meidl/W. 2007multivariate polynomials, Topuzoglu/W. 2005: nonlinear andinversive generators of order mpolynomial systems, Ostafe/Shparlinski/W. 2010polynomials with low p-weight degree, Ibeas/W. 2010
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 12 / 24
Marsaglia’s Lattice test, 1972
(ηn) T-periodic sequence over Fp
For s ≥ 1 we say that (ηn) passes the s-dimensional lattice test if thevectors {un − u0 : 1 ≤ n < T} span Fs
p, where
un = (ηn, ηn+1, . . . , ηn+s−1), 0 ≤ n < T .
S(ηn) = max{s : 〈un − u0, 1 ≤ n < T 〉 = Fs
p
}
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 13 / 24
Niederreiter/W. 2002: L(ηn) = S(ηn) or = S(ηn) + 1
Dorfer/W. 2003: Lattice test for parts of the period, S(ηn,N)We have either
S(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))
orS(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))− 1.
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 14 / 24
Little is known about lattice tests with arbitrary lags, i.e., vectors(xn+d0 , xn+d1 , . . . , xn+ds−1) ∈ Fs
p with 0 ≤ d0 < d1 < . . . < ds−1.
modified inversive generator, Niederreiter/W. 2007some explicit nonlinear generators, Pirsic/W. 2010, Chen/Ostafe/W.2010
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 15 / 24
Part II: Uniform Distribution and Discrepancy
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 16 / 24
Discrepancy
Γ ={
(γn,0, . . . , γn,s−1)Nn=1
}sequence of N points in the s-dimensional unit interval [0, 1)s
∆(Γ) = supB⊆[0,1)s
∣∣∣∣TΓ(B)
N− |B |
∣∣∣∣ ,where TΓ(B) is the number of points of Γ inside the box
B = [α0, β0)× · · · × [αs−1, βs−1) ⊆ [0, 1)s
and the supremum is taken over all such boxes.
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 17 / 24
Erdos-Turan-Koksma inequality (from discrepancy
to exponential sums)
∆(Γ) ≤(
3
2
)s 2
H + 1+
1
N
∑0<|a|≤H
s−1∏j=0
1
max{|aj |, 1}
∣∣∣Σ(s)N (Γ, a)
∣∣∣ ,
where
Σ(s)N (Γ, a) =
N∑n=1
exp
(2πi
s−1∑j=0
ajγn,j
)and the outer sum is taken over all integer vectorsa = (a0, . . . , as−1) ∈ Zs \ {0} with |a| = max
j=0,...,s−1|aj | ≤ H .
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 18 / 24
Nonlinear Pseudorandom Numbers
f ∈ Fp[X ], 2 ≤ deg(f ) ≤ p − 1, x0 ∈ Fp
xn+1 = f (xn), n ≥ 0
SN(a) =N−1∑n=0
ψ(axn), a 6= 0,
where ψ(x) = exp(2πix/p) is the additive canonical character of Fp.
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 19 / 24
Niederreiter/Shparlinski 1999:
SN(a) = O(N1/2p1/2 log(d)1/2 log(p)−1/2
), a 6= 0
(improvement, Niederreiter/W. 2008)
Main idea of proof:Reduction to Weil-bound:∣∣∣∣∣∣
∑x∈Fp
ψ(F (x))
∣∣∣∣∣∣ ≤ (deg(F )− 1)p1/2
Here:F (X ) =
∑ai fki (X )
Exponential degree growth when iterating f (X ) is the reason for theweakness of these bounds. (Cf. linear complexity bounds.)
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 20 / 24
Improvements for Special Nonlinear Generators
inversive generators: Niederreiter/Shparlinski 2001
DN = O(N−1/2p1/4 logs(p))
power generator: Friedlander/Shparlinski 2001Dickson generator: Gomez/Gutierrez/Shparlinski 2006Redei generator: Gutierrez/W. 2007polynomial systems: Ostafe/Shparlinski since 2009low p-weight degree: Ibeas/W. 2010
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 21 / 24
under construction
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 22 / 24
Linz opera house will open 2013
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 23 / 24
Thank you for your attention.
A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 24 / 24