Finite Fields and Their Applications 16 (2010) 329–333

Contents lists available at ScienceDirect

Finite Fields and Their Applications

www.elsevier.com/locate/ffa

On the linear complexity of the Naor–Reingold sequencewith elliptic curves

Marcos Cruz ∗, Domingo Gómez, Daniel Sadornil

Departamento de Matemáticas Estadística y Computación, Universidad de Cantabria, Santander, Spain

a r t i c l e i n f o a b s t r a c t

Article history:Received 17 March 2010Revised 26 May 2010Available online 11 June 2010Communicated by Arne Winterhof

Keywords:Naor–Reingold pseudo-random functionLinear complexityElliptic curves

The Naor–Reingold sequences with elliptic curves are used incryptography due to their nice construction and good theoreticalproperties. Here we provide a new bound on the linear complexityof these sequences. Our result improves the previous one obtainedby I.E. Shparlinski and J.H. Silverman and holds in more cases.

© 2010 Elsevier Inc. All rights reserved.

1. Introduction

In this paper we provide a bound for the linear complexity of the Naor–Reingold sequences inelliptic curves. The original sequence was presented in [5] as a primitive for cryptographic protocols.Analogous sequences based on elliptic curves were introduced in [7].

For a prime p, we denote by Fp the field with p elements. The elements of Fp will be identifiedwith the set of integers {0, . . . , p − 1}.

Let E be an elliptic curve over Fp , that is a curve given by the following Weierstrass equation

Y 2 = X3 + A X + B, A, B ∈ Fp, 4A3 + 27B2 �= 0,

for a prime p � 5. It is well known that points of the curve over Fp , including the special point O atinfinity, form an Abelian group with an appropriate composition rule where O is the neutral element.

Let G be an Fp-rational point on E of prime order l. For each vector a = (a0,a1, . . . ,an−1) ∈ (F∗l )n ,

we have the auxiliary function ϕa(x) := ax00 · · ·a

xn−1n−1 ∈ F

∗l where x = ∑n−1

i=0 xi2i is the binary represen-

* Corresponding author.E-mail addresses: marcos.cruz@unican.es (M. Cruz), domingo.gomez@unican.es (D. Gómez), daniel.sadornil@unican.es

(D. Sadornil).

1071-5797/$ – see front matter © 2010 Elsevier Inc. All rights reserved.doi:10.1016/j.ffa.2010.05.005

330 M. Cruz et al. / Finite Fields and Their Applications 16 (2010) 329–333

tation of an integer x, 0 � x � 2n −1. Then, each vector a defines a finite sequence in the subgroup 〈G〉as follows,

fa(x) := ϕa(x)G.

The Naor–Reingold elliptic curve sequence is defined as,

uk = X(

fa(k)), k = 0,1, . . . ,2n − 1, (1)

where X(P ) is the abscissa of P ∈ E .If the decisional Diffie–Hellman assumption [2] holds, it has been shown that the index k is not

enough to compute uk in polynomial time, even if an attacker performs polynomially many queriesto a random oracle [5, Theorem 4.1]. A bound on the distribution of the Naor–Reingold sequence wasgiven in [8] and its period has been investigated in [4].

We recall that the linear complexity of an N-element sequence:

uk, k = 0, . . . , N − 1

is the order L of the shortest linear recurrence

uk+L = cL−1uk+L−1 + · · · + c1uk+1 + c0uk,

where k = 0, . . . , N − L − 1 and c0, . . . , cL−1 ∈ Fl .Throughout the paper the implied constants in the symbol ‘O ’ are absolute, and log denotes the

binary logarithm.The linear complexity of the Naor–Reingold elliptic curve sequence has been studied in [9], finding

a bound given by the following theorem:

Theorem 1. Suppose that γ > 0 and n are chosen to satisfy

n � (2 + γ ) log l.

For any δ > 0 and sufficiently large l, the linear complexity La of the sequence (uk)2n−1k=0 satisfies:

La � min

(l1/3−δ,

l(γ −3δ)

log2 l

)

for all but at most O ((l − 1)n−δ) vectors a ∈ (F∗l )n.

This result provides a lower bound for the linear complexity, assuming that the dimension n ofthe parameter a is bigger than 2 log l. Here we obtain a lower bound for the linear complexity that isnontrivial even when n > 4/3 log l. In order to prove this result we proceed in a similar way as in [1]where the complexity of the Naor–Reingold sequence was studied.

2. Preliminaries

Using the techniques in [3], it is straightforward to prove the following:

Lemma 2. Let K, H ⊆ F∗l be a set of cardinality #K = K and #H = h, respectively. Using the following

notation,

Lr(K, H) = #{(k, y) ∈ K × H

∣∣ rk = y},

there exists r ∈ F∗l such that Lr(K,h) � Kh/l.

M. Cruz et al. / Finite Fields and Their Applications 16 (2010) 329–333 331

For convenience, we denote

Lr(K,h) = #{(k, y) ∈ K × F

∗l

∣∣ rk = y, 0 < y < h},

when H = {1,2, . . . ,h − 1}.The following results appeared in [9].

Lemma 3. For any integer n > 2, 0 < � < 1 and for all except at most O (�(l − 1)n) vectors a ∈ (F∗l )n, the

Naor–Reingold elliptic curve sequence contains at least �2n−2 distinct elements.

Note that the implied constant is absolute.

Lemma 4. Fix integers 1 � d0 < d1, . . . ,< dL � h < p and fix elements c0, . . . , cL ∈ Fp with cL �= 0. For anypoint Q ∈ E(Fp), consider the following Fp-linear combination of abscissas of multiples of Q ,

L(Q ) = c0 X(d0 Q ) + c1 X(d1 Q ) + · · · + cL X(dL Q ).

Then, there are at most 2(L + 1)h2 points Q ∈ E such that L(Q ) = 0.

Several properties of the linear complexity have been studied in previous papers, as for instance [6,10,11]. We will also use Lemma 2 from [8].

Lemma 5. Consider a finite sequence ( f (x))N−1x=0 in a field K, with linear complexity L. Then, for any integers

M � 1, h � 1, and 0 � e0, . . . , eL � h there are some elements c0, . . . , cL ∈ K (not all zero) such that

L∑i=0

ci f (Mb + ei) = 0

for any integer b with 0 � Mk + h � N − 1.

3. Linear complexity bound

We are ready to prove the main result in this article. The combination of the technique developedin [8,9] with Lemma 2 yields a nontrivial result even in the case n > 4

3 log l. Furthermore, this boundimproves the one provided in [9].

Theorem 6. For 0 < δ < 1 and

n >4

3log l + 6, (2)

the linear complexity La of the sequence (uk)2n−1k=0 satisfies:

La � 2n/2l−2/3−δ/8

for all but at most O ((l − 1)n−δ) vectors a ∈ (F∗l )n. Note that the implied constant is absolute.

Proof. For convenience we take

s = �n/2, h = ⌊l1/3⌋.

332 M. Cruz et al. / Finite Fields and Their Applications 16 (2010) 329–333

For any a = (a0, . . . ,an−1), we denote,

a− = (a0, . . . ,as−1), a+ = (as, . . . ,an−1).

Let A be the set of vectors such that each of the Naor–Reingold elliptic curve sequences definedby vectors a− and a+ generate at least 2s−2l−δ and 2n−s−2l−δ distinct elements, respectively. UsingLemma 3, we have that #A = (l − 1)n + O (ln−δ).

We show that the bound of the theorem holds for any vector a ∈ A. Let us consider the set

K = {ax0

0 · · ·axs−1s−1

∣∣ x0, . . . , xs−1 ∈ {0,1}} = ϕa[0,2s − 1

].

The cardinality of this set is at least 2s−2l−δ , for a ∈ A. By Lemma 2, there exists r ∈ F∗l such that

Lr(K,h) � 2s−2/l2/3+δ .Taking the value of s into account, we have that if La � Lr(K,h) then

La � 2n/2l−2/3−δ/4 � 2n/2l−2/3−δ/8. (3)

Otherwise we have La < Lr(K,h). Here we choose d0, . . . ,dLa ∈ K such that 0 < yi := dir < h. Let0 � e0 < · · · < eLa < 2s be the integers such that ϕa(ei) = di . Using Lemma 5, we derive

La∑i=0

ci X(

fa(2sb + ei

)) = 0

for 0 � b < 2n−s − 1. Let m := r−1 ∈ F∗l . We have that

fa(2sb + ei

) = mϕa(2sb

)rϕa(ei)G = yi

(mϕa

(2sb

)G),

where b = ∑n−s−1j=0 b j2 j . Now, as a ∈ A, this linear combination

L(Q ) = c0 X(y0 Q ) + c1 X(y1 Q ) + · · · + cL X(yL Q )

is zero for the points Q = (mϕa+ (b))G , which are at least 2n−s−2l−δ , because a ∈ A. So, by Lemma 4,it will imply 2(La + 1)h2 > 2n−s−2l−δ . Combining this bound with the values of h and s we obtain

La � 2n/2l−2/3−δ/8. (4)

From (3) and (4) the result follows. �Acknowledgment

This work was partially supported by the Spanish Ministry of Science, projects AYA2007-68058-C03-02, MTM2007-67088 and MTM2007-62799.

References

[1] P. Bustillo, D. Gómez, J. Gutierrez, Á. Ibeas, On the linear complexity of the Naor–Reingold sequence, preprint, 2009.[2] W. Diffie, M.E. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory IT-22 (1976) 644–654.[3] J. Friedlander, J. Hansen, I. Shparlinski, On character sums with exponential functions, Mathematika 47 (2000) 75–85.[4] Á. Ibeas, On the period of the Naor–Reingold sequence, Inform. Process. Lett. 108 (2008) 304–307.[5] M. Naor, O. Reingold, Number-theoretic constructions of efficient pseudo-random functions, J. ACM 51 (2004) 231–262

(electronic).

M. Cruz et al. / Finite Fields and Their Applications 16 (2010) 329–333 333

[6] H. Niederreiter, Linear complexity and related complexity measures for sequences, in: Progress in Cryptology—INDOCRYPT2003, in: Lecture Notes in Comput. Sci., vol. 2904, Springer, Berlin, 2003, pp. 1–17.

[7] I.E. Shparlinski, On the Naor–Reingold pseudo-random function from elliptic curves, Appl. Algebra Engrg. Comm. Comput.11 (2000) 27–34.

[8] I. Shparlinski, Linear complexity of the Naor–Reingold pseudo-random function, Inform. Process. Lett. 76 (2000) 95–99.[9] I. Shparlinski, J. Silverman, On the linear complexity of the Naor–Reingold pseudo-random function from elliptic curves,

Des. Codes Cryptogr. 24 (3) (2001) 279–289.[10] A. Topuzoglu, A. Winterhof, Pseudorandom sequences, in: Topics in Geometry, Coding Theory and Cryptography, in: Algebr.

Appl., vol. 6, Springer, Dordrecht, 2007, pp. 135–166.[11] A. Winterhof, Linear complexity and related complexity measures, in: Selected Topics in Information and Coding Theory,

World Scientific, 2010, pp. 3–40.