On the $k$-error linear complexity of binary sequences derived from the discrete logarithm in finite fields
Zhixiong Chen, Qiuyan Wang

TL;DR
This paper investigates the linear complexity and $k$-error linear complexity of binary sequences derived from quadratic characters in finite fields, providing new bounds and insights especially for fields with extension degree 2.
Contribution
It establishes a lower bound on the linear complexity for sequences from finite fields with extension degree at least 2 and analyzes the $k$-error linear complexity specifically for quadratic extension fields.
Findings
Lower bound on linear complexity for $r extgreater 1$
Analysis of $k$-error linear complexity for $r=2$
Open problem for $r>2$ cases
Abstract
Let be a power of an odd prime . We study binary sequences with entries in defined by using the quadratic character of the finite field : for the ordered elements . The is Legendre sequence if . Our first contribution is to prove a lower bound on the linear complexity of for . The bound improves some results of Meidl and Winterhof. Our second contribution is to study the -error linear complexity of for . It seems that we cannot settle the case when and leave it open.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCoding theory and cryptography Β· graph theory and CDMA systems Β· Cryptographic Implementations and Security
On the -error linear complexity of binary sequences derived from the discrete logarithm in finite fields
Zhixiong Chen1 and Qiuyan Wang1,2
- Provincial Key Laboratory of Applied Mathematics,
Putian University,
Putian, Fujian 351100, P.R. China
- School of Computer Science and Software Engineering,
Tianjin Polytechnic University,
Tianjin 300387, P.R. China
Abstract
Let be a power of an odd prime . We study binary sequences with entries in defined by using the quadratic character of the finite field :
[TABLE]
for the ordered elements . The is Legendre sequence if .
Our first contribution is to prove a lower bound on the linear complexity of for . The bound improves some results of Meidl and Winterhof. Our second contribution is to study the -error linear complexity of for . It seems that we cannot settle the case when and leave it open.
keyword: stream cipher; pseudorandom binary sequences; linear complexity; -error linear complexity; discrete logarithm; finite field
1 Introduction
Pseudorandom sequences play an important role in cryptography. In particular in symmetric cryptography they serve as the secret key. So pseudorandom sequences are widely concerned. In this work, we begin with the Legendre sequence which has good behavior.
Let be an odd prime. The Legendre sequence with entries in is defined as
[TABLE]
where is the Legendre symbol, that is for with , if for some integer and otherwise . The Legendre sequence is extensively paid attention by many researchers. From the viewpoint of cryptography, the linear complexity (see the notion below) of it is studied in [7], the -error linear complexity of it is studied in [2]111We remark that the Legendre sequence is treated as a -ary sequence over ., and other feathers are studied in the literature, see e.g., [5, 13].
It is natural to extend the Legendre symbol construction to define binary sequences from the extension field of elements with . We order the elements of as follows.
Fixing a basis of over , we define for ,
[TABLE]
if
[TABLE]
Let be a primitive element of and the discrete logarithm of with respect to , i.e., . For any integer , we use the notation . The importance of the discrete logarithm for modern cryptography is well known. The security of many public-key cryptosystems depends on the intractability of the discrete logarithm problem.
The -periodic sequence with entries in defined below has been concerned in the literature:
[TABLE]
It is clear is the Legendre sequence if and . The (aperiodic) autocorrelation of was analyzed in [15] and the linear complexity of was studied in [14, 18]. In particular, in [1, 2] the -error linear complexity over of was investigated for . One might ask whether it can be extended to the case for the -error linear complexity. Indeed, [4, Proposition 2] tells us that we have to change a lot of elements to get a smaller periodic sequence with small linear complexity. So this might be the reason why the authors of [1, 2] not study over furtherly for the case .
In this work, we pay attention to the case when . The with entries in in Eq.(1) can be defined equivalently by using the quadratic character of :
[TABLE]
It is easy to see that for . The measures of pseudorandomness of the binary was studied in [16] for more general setting. Some related problems were considered in [10, 11, 12]. In the sequel, we first prove a lower bound on the linear complexity of of in Eq.(2) for with in Sect.2. The bound improves some results of Meidl and Winterhof in [14, 18]. Then in Sect.3 we study its -error linear complexity (over ) of for . This is different from [1, 2], in which we remark again that the is treated over . It seems that we cannot settle the case when and leave it open.
The linear complexity is an important cryptographic characteristic of sequences and provides information on predictability and thus unsuitability for cryptography. Here we give a short introduction to the linear complexity of periodic sequences. Let be a field. For a -periodic sequence over , recall that the linear complexity over , denoted by , is the least order of a linear recurrence relation over
[TABLE]
which is satisfied by and where . Let
[TABLE]
which is called the generating polynomial of . Then the linear complexity over of can be computed as
[TABLE]
which is the degree of the characteristic polynomial, , of the sequence. See, e.g., [5] for details.
For a sequence to be cryptographically strong, its linear complexity should be high, but this complexity is not significantly reduced by changing a few terms. This leads to the notion of the -error linear complexity. For integers , the -error linear complexity over of , denoted by , is the lowest linear complexity (over ) that can be obtained by changing at most terms of the sequence per period (see [17], and see [6] for the related sphere complexity that was defined even earlier). Clearly, , and
[TABLE]
when equals the number of nonzero terms of per period, i.e., the weight of .
2 A lower bound on linear complexity
In this section, we prove a lower bound on linear complexity of in Eq.(2) for and . Some results have been given in [14, 18]. Our bound in Theorem 1 below improves that in [14, 18] greatly.
Let denote the order of modulo , i.e., is the least positive integer such that .
Lemma 1**.**
Let with . If , then for .
Proof. We suppose . First, we write for some integer since . Then we have
[TABLE]
and hence . This implies that is a divisor of . On the other hand, since , we see that .
Second, the assumption of implies that . So we can write for some positive integer . Suppose . Then we derive
[TABLE]
which contradicts to . Then and hence . So we finish the proof. β
Theorem 1**.**
Let be the binary sequence of period defined in Eq.(2) with for . If , then the linear complexity of satisfies
[TABLE]
where is the order of modulo .
Proof. From Eq.(2), it is easy to see that the least period of is , since there are many 1βs in the first terms of the sequence.
Let . We see that and has exactly many roots, which are -th primitive elements in . Then by Lemma 1, can be written as the product of many irreduciable polynomials of degree :
[TABLE]
We show below that there exists such that , where is the generating polynomial of .
Now if we suppose and write for some polynomial of degree . Then we derive for
[TABLE]
from which we get for any integer and hence is the period of , a contradiction. Hence and there exists at least one such that . Then from the notion of the characteristic polynomial of or Eq.(3), we have
[TABLE]
we finish the proof. β
The bound is much better than that of [14, Thms.1 and 2] and [18]. We note that, Theorem 1 is indeed a general result for any -periodic binary sequences over and it covers almost all primes. As far as we know, the primes that satisfy are very rare. It was shown that there are only two such primes222A prime satisfying is called a Wieferich prime., 1093 and 3511, up to [3].
We remark again, in [4, Prop.2] for any sequences over with least period , the linear complexity is at least . Theorem 1 is a very similar statement to [4] for binary sequences.
3 -Error linear complexity
In this section we consider the -error linear complexity of in Eq.(2) for .
The way in the proof of Theorem 1 can help us to give a lower bound on the -error linear complexity. Below we choose as a basis of over and write as for , where . We first prove two lemmas.
Lemma 2**.**
Let for . Then we have
[TABLE]
Proof. For each , when runs through the set , so does , where is modulo . So and if . We finish the proof. β
Lemma 3**.**
Let the vector for , where the is defined by Eq.(2) with . Let in Eq.(2) be defined by using a basis over for . Let , i.e. the weight of , denote the number of 1βs in .
(1). If , we have and for ;
(2). If , we have and for .
Proof. We first show for any . Since is the quadratic character of , we can write , where is a character of order of . Then from for some integer , we have
[TABLE]
Now from Eq.(2), we see that for any . Hence for , by Lemma 2. While from for , we derive if and otherwise .
Finally, since there are many such that , we have and hence for if , and otherwise for . β
For defined in Eq.(2) with , write
[TABLE]
for . Then clearly the generating polynomial of is .
Theorem 2**.**
Let be the binary sequence of period defined in Eq.(2) with . Let in Eq.(2) be defined by using a basis over for . If , then the -error linear complexity of satisfies
[TABLE]
where is the order of modulo and
[TABLE]
Proof. By Lemma 1, is the product of many irreduciable polynomials of degree :
[TABLE]
Let be a polynomial of degree smaller than over . We restrict that has many different terms from , the generating polynomial of , that is, if we write
[TABLE]
then , a polynomial of degree smaller than , has exactly many monomials. We want to find an with smallest such that .
We suppose for some of degree smaller than over . We derive
[TABLE]
We see that contains a summation if and otherwise for from Eq.(4) above.
If , we have and for by Lemma 3, that is, and has many terms for . So we can verify that the below
[TABLE]
is with smallest terms (such that ). The argument tells us that if , no with terms can guarantee . Then for such , at least one of is not a divisor of , and hence by Eq.(3).
If , Lemma 3 helps us to verify that the below
[TABLE]
is with smallest terms such that . Then following the way above, we finish the proof. β
Now we consider the case when is primitive modulo . We need the following lemma.
Lemma 4**.**
Let for , where the is defined by Eq.(2) with . Let in Eq.(2) be defined by using a basis over for . We have
[TABLE]
where
[TABLE]
Proof. It is clear from Lemma 3. β
Theorem 3**.**
Let be the binary sequence of period defined in Eq.(2) with . Let in Eq.(2) be defined by using a basis over for . If and is primitive modulo , then the -error linear complexity of satisfies
[TABLE]
if , and
[TABLE]
if .
Proof. As before let be the generating polynomial of . We mention that both and are irreduciable, since is primitive modulo .
From the proof of Theorem 2, we see that and for any with many terms, for . We now consider modulo ). By Lemma 4, we have
[TABLE]
We consider the case when . From Eq.(5) we derive
(i). and , then we have .
(ii). , which indicates that .
(iii). , which indicates that .
Putting everything together, we prove the first statement. For the case when , we get easily that and then from arguments above, we prove the second statement. β
Similarly, we have following theorem for .
Theorem 4**.**
Let be the binary sequence of period defined in Eq.(2) with . Let in Eq.(2) be defined by using a basis over for . If and is primitive modulo , then the -error linear complexity of satisfies
[TABLE]
if , and
[TABLE]
if .
Theorems 3 and 4 indicate that the sequence we considered has good stability, or in other words, its linear complexity is not significantly decreased by changing only a few (but not many) terms.
4 Final remarks
We study the linear complexity of binary sequences defined by using the quadratic character of the finite field with and its -error linear complexity for . Such sequences are an extension of Legendre sequences. It is interesting to consider the -error linear complexity for .
From the construction, we find by Lemma 3 that and . This sacrifices some pseudorandomness of the sequence. So we can modify the construction as follows
[TABLE]
Then the way in this work can be used to consider the linear complexity and -error linear complexity.
Finally we remark that, there is another way to order the elements in . Write , where is a primitive element of . The sequence is defined by
[TABLE]
is referred to as a generalized Sidelnikov sequence, see e.g. [2], in which the -error linear complexity (over ) of was determined when . So it is interesting to consider the -error linear complexity (over ) of .
Acknowledgment
The authors wish to thank Prof. Arne Winterhof for helpful suggestions and some corrections of the proof.
The work was partially supported by the National Natural Science Foundation of China under grant No.Β 61772292, by the Projects of International Cooperation and Exchanges NSFC No. 6181101289, by the Provincial Natural Science Foundation of Fujian under grant No.Β 2018J01425 and by the Program for Innovative Research Team in Science and Technology in Fujian Province University under grant No.Β 2018-49.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Aly, H., Meidl, W., Winterhof, A.: On the k π k -error linear complexity of cyclotomic sequences. J. Math. Crypt. 1 (2007) 283-296.
- 2[2] Aly, H., Winterhof, A.: On the k π k -error linear complexity over of Legendre and Sidelnikov sequences. Designs, Codes and Cryptography 40 (2006) 369-374.
- 3[3] Akbary, A., Siavashi, S.: The largest known Wieferich numbers. Integers 18-#A 3 (2018) 1-6.
- 4[4] Blackburn, S. R., Etzion, T., Paterson, K. G.: Permutation polynomials, de Bruijn sequences, and linear complexity. J. Comb. Theory Ser. A 76(1) (1996) 55-82.
- 5[5] Cusick, T. W., Ding, C., Renvall, A.: Stream Ciphers and Number Theory. Gulf Professional Publishing, 2004.
- 6[6] Ding, C., Xiao, G., Shan, W.: The stability theory of stream ciphers. Lecture Notes in Computer Science, vol.561, Berlin: Springer-Verlag (1991).
- 7[7] Ding, C., Helleseth, T., Shan, W.: On the linear complexity of Legendre sequences. IEEE Transactions on Information Theory 44(3) (1998) 1276-1278.
- 8[8] Ding, C.: Binary cyclotomic generators. Fast Software Encrytion,Lecture Notes in Computer Science, vol.1008. Berlin: Springer-Verlag (1995) 20-60.
