a survey on recursive nonlinear pseudorandom number …

A Survey on Recursive Nonlinear

Pseudorandom Number Generators

Arne Winterhof

Austrian Academy of SciencesJohann Radon Institute for Computational and Applied Mathematics

Linz

MCQMC 2012

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 0 / 24

Pseudorandom Numbers

Numbers which are generated by a deterministic algorithm and ’lookrandom’ are called pseudorandom.

Desirable ’randomness properties’ depend on the application!

cryptography:unpredictability → high linear complexity

numerical integration (Monte Carlo):uniform distribution → low discrepancy

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 1 / 24

Pseudorandom Number Generators

A pseudorandom number generator is a sequence (sn) over a finitefield Fq (or residue class ring Zm).Here we consider only Fp with p prime.

We derive pseudorandom numbers in Z or in [0, 1) in the followingway:Identify Fp with {0, 1, . . . , p − 1}.

xn = sn/p ∈ [0, 1)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 2 / 24

Part I: Predictability, Linear Complexity, and Lattice Structure

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 3 / 24

Linear Complexity

The linear complexity L(sn) of a periodic sequence (sn) over Fp is thesmallest positive integer L such that there are constantsc0, . . . , cL−1 ∈ Fp with

sn+L = cL−1sn+L−1 + . . . + c0sn, n ≥ 0.

For a positive integer N the Nth linear complexity L(sn,N) of asequence (sn) over Fp is the smallest positive integer L such thatthere are constants c0, . . . , cL−1 ∈ Fp satisfying

sn+L = cL−1sn+L−1 + . . . + c0sn,

0 ≤ n ≤ N − L− 1.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 4 / 24

Linear Pseudorandom Number Generators

a, b, x0 ∈ Fp, a 6= 0

xn+1 = axn + b, n ≥ 0

– predictable (L(xn) ≤ 2)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 5 / 24

(Recursive) Nonlinear Pseudorandom Number

Generators

f ∈ Fp[X ], 2 ≤ deg(f ) ≤ p − 1, x0 ∈ Fp

xn+1 = f (xn), n ≥ 0

(purely) periodic with period t ≤ p

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 6 / 24

Lower Bound on the Linear Complexity Profile

Gutierrez/Shparlinski/W. 2003:The linear complexity profile of a nonlinear sequence (xn) defined by

xn+1 = f (xn), n = 0, 1, . . . ,

with a polynomial f ∈ Fp[X ] of degree d ≥ 2, purely periodic withperiod t, satisfies

L(xn,N) ≥ min {dlogd(N − blogd Nc)e, dlogd te} .

Reason for weak result: The degrees in the sequence of iteration of f

f0(X ) = X , fk+1(X ) = f (fk(X )), k ≥ 0

grow exponentially.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 7 / 24

L∑l=0

clxn+l = 0, 0 ≤ n ≤ N − L− 1, cL = −1

F (X ) =∑L

l=0 cl fl(X ) of degree dL has at least min{N − L, t} zeros.

dL ≥ min{N − L, t}

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 8 / 24

Inversive Generators

a, b, y0 ∈ Fp, a 6= 0

yn+1 = ayp−2n + b =

{ay−1

n + b, yn 6= 0,b, yn = 0.

Gutierrez/Shparlinski/W. 2003:

L(yn,N) ≥ min

{⌈N − 1

3

⌉,

⌈t − 1

2

⌉}

Reason for better result:f (X ) = bX+a

X, fj(X ) =

ajX+bjcjX+d

(still predictable and not suitable for cryptography but for MC)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 9 / 24

Power Generator

f (X ) = X e

Griffin/Shparlinski, 2000:

L(pn,N) ≥ min

{N2

4(p − 1),

t2

p − 1

}, N ≥ 1.

Reason for better result: fk(X ) = X ek mod p−1

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 10 / 24

Dickson generator

De(x + x−1) = xe + x−e , x ∈ Fp2

un+1 = De(un), n ≥ 0,

with some initial value u0 and e ≥ 2.Aly/W. 2006:

L(un,N) ≥ min{N2, 4t2}16(p + 1)

− (p + 1)1/2

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 11 / 24

Other nice nonlinear generators

Redei generator, Meidl/W. 2007multivariate polynomials, Topuzoglu/W. 2005: nonlinear andinversive generators of order mpolynomial systems, Ostafe/Shparlinski/W. 2010polynomials with low p-weight degree, Ibeas/W. 2010

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 12 / 24

Marsaglia’s Lattice test, 1972

(ηn) T-periodic sequence over Fp

For s ≥ 1 we say that (ηn) passes the s-dimensional lattice test if thevectors {un − u0 : 1 ≤ n < T} span Fs

p, where

un = (ηn, ηn+1, . . . , ηn+s−1), 0 ≤ n < T .

S(ηn) = max{s : 〈un − u0, 1 ≤ n < T 〉 = Fs

p

}

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 13 / 24

Niederreiter/W. 2002: L(ηn) = S(ηn) or = S(ηn) + 1

Dorfer/W. 2003: Lattice test for parts of the period, S(ηn,N)We have either

S(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))

orS(ηn,N) = min(L(ηn,N),N + 1− L(ηn,N))− 1.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 14 / 24

Little is known about lattice tests with arbitrary lags, i.e., vectors(xn+d0 , xn+d1 , . . . , xn+ds−1) ∈ Fs

p with 0 ≤ d0 < d1 < . . . < ds−1.

modified inversive generator, Niederreiter/W. 2007some explicit nonlinear generators, Pirsic/W. 2010, Chen/Ostafe/W.2010

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 15 / 24

Part II: Uniform Distribution and Discrepancy

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 16 / 24

Discrepancy

Γ ={

(γn,0, . . . , γn,s−1)Nn=1

}sequence of N points in the s-dimensional unit interval [0, 1)s

∆(Γ) = supB⊆[0,1)s

∣∣∣∣TΓ(B)

N− |B |

∣∣∣∣ ,where TΓ(B) is the number of points of Γ inside the box

B = [α0, β0)× · · · × [αs−1, βs−1) ⊆ [0, 1)s

and the supremum is taken over all such boxes.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 17 / 24

Erdos-Turan-Koksma inequality (from discrepancy

to exponential sums)

∆(Γ) ≤(

3

2

)s 2

H + 1+

1

N

∑0<|a|≤H

s−1∏j=0

1

max{|aj |, 1}

∣∣∣Σ(s)N (Γ, a)

∣∣∣ ,

where

Σ(s)N (Γ, a) =

N∑n=1

exp

(2πi

s−1∑j=0

ajγn,j

)and the outer sum is taken over all integer vectorsa = (a0, . . . , as−1) ∈ Zs \ {0} with |a| = max

j=0,...,s−1|aj | ≤ H .

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 18 / 24

Nonlinear Pseudorandom Numbers

f ∈ Fp[X ], 2 ≤ deg(f ) ≤ p − 1, x0 ∈ Fp

xn+1 = f (xn), n ≥ 0

SN(a) =N−1∑n=0

ψ(axn), a 6= 0,

where ψ(x) = exp(2πix/p) is the additive canonical character of Fp.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 19 / 24

Niederreiter/Shparlinski 1999:

SN(a) = O(N1/2p1/2 log(d)1/2 log(p)−1/2

), a 6= 0

(improvement, Niederreiter/W. 2008)

Main idea of proof:Reduction to Weil-bound:∣∣∣∣∣∣

∑x∈Fp

ψ(F (x))

∣∣∣∣∣∣ ≤ (deg(F )− 1)p1/2

Here:F (X ) =

∑ai fki (X )

Exponential degree growth when iterating f (X ) is the reason for theweakness of these bounds. (Cf. linear complexity bounds.)

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 20 / 24

Improvements for Special Nonlinear Generators

inversive generators: Niederreiter/Shparlinski 2001

DN = O(N−1/2p1/4 logs(p))

power generator: Friedlander/Shparlinski 2001Dickson generator: Gomez/Gutierrez/Shparlinski 2006Redei generator: Gutierrez/W. 2007polynomial systems: Ostafe/Shparlinski since 2009low p-weight degree: Ibeas/W. 2010

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 21 / 24

under construction

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 22 / 24

Linz opera house will open 2013

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 23 / 24

Thank you for your attention.

A.Winterhof (RICAM (Linz)) Pseudorandom Number Generators MCQMC 2012 24 / 24