a survey on recursive nonlinear pseudorandom number …

A Survey on Recursive Nonlinear

Pseudorandom Number Generators

Arne Winterhof

Austrian Academy of SciencesJohann Radon Institute for Computational and Applied Mathematics

Linz

MCQMC 2012

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 0 / 24

Pseudorandom Numbers

Numbers which are generated by a deterministic algorithm and ’lookrandom’ are called pseudorandom.

Desirable ’randomness properties’ depend on the application!

cryptography:unpredictability → high linear complexity

numerical integration (Monte Carlo):uniform distribution → low discrepancy


Pseudorandom Number Generators

A pseudorandom number generator is a sequence (sn) over a finitefield Fq (or residue class ring Zm).Here we consider only Fp with p prime.

We derive pseudorandom numbers in Z or in [0, 1) in the followingway:Identify Fp with {0, 1, . . . , p − 1}.

xn = sn/p ∈ [0, 1)


Part I: Predictability, Linear Complexity, and Lattice Structure


Linear Complexity

The linear complexity L(sn) of a periodic sequence (sn) over Fp is thesmallest positive integer L such that there are constantsc0, . . . , cL−1 ∈ Fp with

sn+L = cL−1sn+L−1 + . . . + c0sn, n ≥ 0.

For a positive integer N the Nth linear complexity L(sn,N) of asequence (sn) over Fp is the smallest positive integer L such thatthere are constants c0, . . . , cL−1 ∈ Fp satisfying

sn+L = cL−1sn+L−1 + . . . + c0sn,

0 ≤ n ≤ N − L− 1.


Linear Pseudorandom Number Generators

a, b, x0 ∈ Fp, a 6= 0

xn+1 = axn + b, n ≥ 0

– predictable (L(xn) ≤ 2)


(Recursive) Nonlinear Pseudorandom Number

Generators

f ∈ Fp[X ], 2 ≤ deg(f ) ≤ p − 1, x0 ∈ Fp

xn+1 = f (xn), n ≥ 0

(purely) periodic with period t ≤ p


Lower Bound on the Linear Complexity Profile

Gutierrez/Shparlinski/W. 2003:The linear complexity profile of a nonlinear sequence (xn) defined by

xn+1 = f (xn), n = 0, 1, . . . ,

with a polynomial f ∈ Fp[X ] of degree d ≥ 2, purely periodic withperiod t, satisfies

L(xn,N) ≥ min {dlogd(N − blogd Nc)e, dlogd te} .

Reason for weak result: The degrees in the sequence of iteration of f

f0(X ) = X , fk+1(X ) = f (fk(X )), k ≥ 0

grow exponentially.


L∑l=0

clxn+l = 0, 0 ≤ n ≤ N − L− 1, cL = −1

F (X ) =∑L

l=0 cl fl(X ) of degree dL has at least min{N − L, t} zeros.

dL ≥ min{N − L, t}


Inversive Generators

a, b, y0 ∈ Fp, a 6= 0

yn+1 = ayp−2n + b =

{ay−1

n + b, yn 6= 0,b, yn = 0.

Gutierrez/Shparlinski/W. 2003:

L(yn,N) ≥ min

{⌈N − 1

3

⌉,

⌈t − 1

2

⌉}

Reason for better result:f (X ) = bX+a

X, fj(X ) =

ajX+bjcjX+d

(still predictable and not suitable for cryptography but for MC)


Power Generator

f (X ) = X e

Griffin/Shparlinski, 2000:

L(pn,N) ≥ min

{N2

4(p − 1),

t2

p − 1

}, N ≥ 1.

Reason for better result: fk(X ) = X ek mod p−1


Dickson generator

De(x + x−1) = xe + x−e , x ∈ Fp2

un+1 = De(un), n ≥ 0,

with some initial value u0 and e ≥ 2.Aly/W. 2006:

L(un,N) ≥ min{N2, 4t2}16(p + 1)

− (p + 1)1/2


Other nice nonlinear generators

Redei generator, Meidl/W. 2007multivariate polynomials, Topuzoglu/W. 2005: nonlinear andinversive generators of order mpolynomial systems, Ostafe/Shparlinski/W. 2010polynomials with low p-weight degree, Ibeas/W. 2010


Marsaglia’s Lattice test, 1972

(ηn) T-periodic sequence over Fp

For s ≥ 1 we say that (ηn) passes the s-dimensional lattice test if thevectors {un − u0 : 1 ≤ n < T} span Fs

p, where

un = (ηn, ηn+1, . . . , ηn+s−1), 0 ≤ n < T .

S(ηn) = max{s : 〈un − u0, 1 ≤ n < T 〉 = Fs

p

}


Niederreiter/W. 2002: L(ηn) = S(ηn) or = S(ηn) + 1

Dorfer/W. 2003: Lattice test for parts of the period, S(ηn,N)We have either

S(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))

orS(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))− 1.


Little is known about lattice tests with arbitrary lags, i.e., vectors(xn+d0 , xn+d1 , . . . , xn+ds−1) ∈ Fs

p with 0 ≤ d0 < d1 < . . . < ds−1.

modified inversive generator, Niederreiter/W. 2007some explicit nonlinear generators, Pirsic/W. 2010, Chen/Ostafe/W.2010


Part II: Uniform Distribution and Discrepancy


Discrepancy

Γ ={

(γn,0, . . . , γn,s−1)Nn=1

}sequence of N points in the s-dimensional unit interval [0, 1)s

∆(Γ) = supB⊆[0,1)s

∣∣∣∣TΓ(B)

N− |B |

∣∣∣∣ ,where TΓ(B) is the number of points of Γ inside the box

B = [α0, β0)× · · · × [αs−1, βs−1) ⊆ [0, 1)s

and the supremum is taken over all such boxes.


Erdos-Turan-Koksma inequality (from discrepancy

to exponential sums)

∆(Γ) ≤(

3

2

)s 2

H + 1+

1

N

∑0<|a|≤H

s−1∏j=0

1

max{|aj |, 1}

∣∣∣Σ(s)N (Γ, a)

∣∣∣ ,

where

Σ(s)N (Γ, a) =

N∑n=1

exp

(2πi

s−1∑j=0

ajγn,j

)and the outer sum is taken over all integer vectorsa = (a0, . . . , as−1) ∈ Zs \ {0} with |a| = max

j=0,...,s−1|aj | ≤ H .


Nonlinear Pseudorandom Numbers

f ∈ Fp[X ], 2 ≤ deg(f ) ≤ p − 1, x0 ∈ Fp

xn+1 = f (xn), n ≥ 0

SN(a) =N−1∑n=0

ψ(axn), a 6= 0,

where ψ(x) = exp(2πix/p) is the additive canonical character of Fp.


Niederreiter/Shparlinski 1999:

SN(a) = O(N1/2p1/2 log(d)1/2 log(p)−1/2

), a 6= 0

(improvement, Niederreiter/W. 2008)

Main idea of proof:Reduction to Weil-bound:∣∣∣∣∣∣

∑x∈Fp

ψ(F (x))

∣∣∣∣∣∣ ≤ (deg(F )− 1)p1/2

Here:F (X ) =

∑ai fki (X )

Exponential degree growth when iterating f (X ) is the reason for theweakness of these bounds. (Cf. linear complexity bounds.)


Improvements for Special Nonlinear Generators

inversive generators: Niederreiter/Shparlinski 2001

DN = O(N−1/2p1/4 logs(p))

power generator: Friedlander/Shparlinski 2001Dickson generator: Gomez/Gutierrez/Shparlinski 2006Redei generator: Gutierrez/W. 2007polynomial systems: Ostafe/Shparlinski since 2009low p-weight degree: Ibeas/W. 2010


under construction


Linz opera house will open 2013


Thank you for your attention.


a survey on recursive nonlinear pseudorandom number …

Documents