Algebraic dependence in generating functions and expansion complexity
Domingo G\'omez-P\'erez, L\'aszl\'o M\'erai

TL;DR
This paper advances the understanding of expansion complexity in cryptographic sequences by analyzing its algebraic properties, providing bounds for random sequences, and examining sequences from differential equations, including the inversive generator.
Contribution
It introduces algebraic methods to analyze expansion complexity, establishes bounds for random sequences, and explores sequences generated by differential equations.
Findings
Expansion complexity relates to Gröbner bases of polynomial ideals.
Bounds on expansion complexity for random sequences are established.
Sequences from differential equations, like the inversive generator, are analyzed for expansion complexity.
Abstract
In 2012, Diem introduced a new figure of merit for cryptographic sequences called expansion complexity. Recently, a series of paper has been published for analysis of expansion complexity and for testing sequences in terms of this new measure of randomness. In this paper, we continue this analysis. First we study the expansion complexity in terms of the Gr\"obner basis of the underlying polynomial ideal. Next, we prove bounds on the expansion complexity for random sequences. Finally, we study the expansion complexity of sequences defined by differential equations, including the inversive generator.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Algebraic dependence in generating functions and expansion complexity
Domingo Gómez-Pérez
D.G.-P.: Department of Mathematics, University of Cantabria, Santander 39005, Spain
and
László Mérai
L.M. Johann Radon Institute for Computational and Applied Mathematics, Austrian Academy of Sciences, Altenberger Straße 69, A-4040 Linz, Austria
Abstract.
In 2012, Diem introduced a new figure of merit for cryptographic sequences called expansion complexity. Recently, a series of paper has been published for analysis of expansion complexity and for testing sequences in terms of this new measure of randomness. In this paper, we continue this analysis. First we study the expansion complexity in terms of the Gröbner basis of the underlying polynomial ideal. Next, we prove bounds on the expansion complexity for random sequences. Finally, we study the expansion complexity of sequences defined by differential equations, including the inversive generator.
Key words and phrases:
pseudorandom sequence, expansion complexity, Gröbner basis, inversive generator
1991 Mathematics Subject Classification:
11T71, 11Y16, 94A60, 94A55, 68Q25
1. Introduction
For a sequence over the finite field of elements, we define its generating function of by
[TABLE]
viewed as a formal power series over .
A sequence is called expansion sequence or automatic sequence if its generating function satisfies an algebraic equation
[TABLE]
for some nonzero polynomial . Clearly, the polynomials satisfying (1) form an ideal in . This ideal is called the defining ideal and it is a principal ideal generated by an irreducible polynomial, see [3, Proposition 4].
Expansion sequences can be efficiently computed from a relatively short subsequence via the generating polynomial of its defining ideal [3, Section 5].
Proposition 1**.**
Let be an expansion sequence and let be the generating polynomial of its defining ideal. The sequence is uniquely determined by and its initial sequence of length . Moreover, can be computed in polynomial time (in ) from an initial sequence of length .
Based on Proposition 1, Diem [3] defined the th expansion complexity in the following way. For a positive integer , the th expansion complexity is if and otherwise the least total degree of a nonzero polynomial with
[TABLE]
For recent results on expansion complexity we refer to [9, 10]. For example, it was pointed out in [9], that small expansion complexity does not imply high predictability in the sense of Proposition 1.
Example*.*
Let be a sequence over the finite field () with initial segment and generating function . Then its 6th expansion complexity is realized by the polynomial . However, the first 4 elements do not determine the whole initial segment with length 6.
In order to achieve the predictability of sequences in terms of Proposition 1, one needs to require that the polynomial satisfying (2) is irreducible. This observation leads to the i(rreducible)-expansion complexity of a sequence. Accordingly, for a positive integer , the th i-expansion complexity is if and otherwise the least total degree of an irreducible polynomial with (2).
See [9] for more details for expansion and i-expansion complexity.
In this paper we first give bounds on the expansion and i-expansion complexity in terms of the Gröbner basis of the ideal of polynomials (2) in Section 2. In Section 3 we study the typical value of expansion complexity for random sequences. Finally, in Section 4 we study the expansion complexity of sequences defined by differential equations. An example of such a sequence is the so-called explicit inversive generator.
2. Expansion complexity and Gröbner bases
In this section we determine the expansion and i-expansion complexity of a sequence in terms of the Gröbner basis of its defining ideal.
2.1. A brief introduction to Gröbner bases
In the following section, we give a brief introduction of Gröbner bases with special emphasis in properties. For a more complete introduction, we recommend to consult the introductory books of Eisenbud [4] and zur Gathen [13]. In this section we focus only on polynomials with 2 variables and recall the basic notion just for this special case.
For vectors of integer components define . The graded lexicographical ordering, denoted by , is defined as for vectors and if or and .
We will use the following notation: Let be a nonzero polynomial with each and . Then,
- (a)
is the largest exponent vector in with respect to . 2. (b)
denotes the leading monomial of so if , then . 3. (c)
denotes the coefficient of . In other words, the so called leading term of is . 4. (d)
. (Note that if , then .) 5. (e)
. (If , then .) 6. (f)
For with and we have and with respect to .
Definition 1**.**
Let and write . is a Gröbner basis for with respect to if . If for and does not divide any term of for , then is a reduced Gröbner basis for with respect to .
It is known that for any ideal , there exists that is a reduced Gröbner basis with respect to and this basis is unique, apart from permutations of the elements.
The following corollary directly follows from Property (f).
Corollary 1**.**
Let be a reduced Gröbner basis for with respect to . If for all , then for any , is a reduced Gröbner basis for .
2.2. Main results on expansion complexity and Gröbner bases
For a sequence and , let be the generating polynomial of the truncated sequence , that is,
[TABLE]
Clearly, .
The polynomials satisfying (2) form an ideal generated by . We prove the following result which makes a link between the expansion and i-expansion complexity and the Gröbner basis of .
Theorem 1**.**
Given any sequence over let be a reduced Gröbner basis for with respect to . Then
[TABLE]
and
[TABLE]
As a consequence, we have the following bounds on the i-expansion complexity:
[TABLE]
Remark*.*
From a Gröbner basis with respect to a lexicographic order one can compute the Gröbner basis of the same ideal with respect to the graded lexicographical using the FGLM algorithm [6]. The computational complexity of the algorithm, from an ideal generated by is field operations [6, Proposition 4.1]. Thus one can find the polynomials in Theorem 1, and compute the expansion and i-expansion complexity in at most binary operations.
Proof.
In order to prove the first part, observe that for any polynomial satisfying (2) we have for some , so .
For the second part, if for , then the result is immediate. Otherwise, we can reduce it to the case when . If the non-zero polynomial satisfies (2), then is a polynomial with and
[TABLE]
As , we have by the first part of the theorem. Then by Corollary 1 the reduced Gröbner basis changes according to the linear transform of the variables . Moreover, the irreducibly of polynomials and does not changes under this transformation. Evenmore, because the definition of , applying that linear transformation to results in a Gröbner basis with respect to .
Now, we are going to show that one of the polynomials must be irreducible. Suppose contrary, that all the polynomials are reducible, so for all
[TABLE]
As belongs to the reduced Gröbner basis of , we have and so
[TABLE]
Since , the smallest degree term of has degree at least two, so we must have . Similarly, we also get . Write
[TABLE]
Then , so . However, , a contradiction. ∎
3. A probabilistic result
In this section we study the th expansion complexity for random sequences. We prove, that for such sequences the th expansion complexity is large.
Let be the uniform probability measure on which assigns the measure to each element of . Let be the sequence space over and let be the complete product probability measure on induced by . We say that a property of sequences holds -almost everywhere if it holds for a set of sequences of -measure . We may view such a property as a typical property of a random sequence over .
Theorem 2**.**
We have
[TABLE]
We remark, that Theorem 2 is the corrected form of [10, Theorem 4]. In [10], the authors used [3, Proposition 7], which requires the irreducibly property, and consequently, it holds for the i-expansion complexity instead for the expansion complexity, see [9, Theorem 2]. Theorem 2 gives now a lower bound on the expansion complexity of typical sequences.
Proof.
First we fix an with and we put
[TABLE]
Then
[TABLE]
for some positive if is large enough. For such put
[TABLE]
Since depends only on the first terms of , the measure is given by
[TABLE]
If is a sequence with , there is a polynomial with degree at most with (2). Write with irreducible factor, then
[TABLE]
Now
[TABLE]
by the choice of . So for some . Without loss of generality, we can suppose that .
We estimate the cardinality of by the number of such sequences that
[TABLE]
Write with and . For a fixed irreducible polynomial of degree there are at most choices for (see [3, p. 332]) and choices for . If two irreducible polynomials are constant multiples of each other, they define the same sequences .
Let a polynomial of degree be called normalized if in the coefficient vector of the homogeneous part with degree of , i.e.,
[TABLE]
the first nonzero element is 1.
Let be the number of normalized irreducible polynomials (with two variables) in of total degree . Then by [2] we have
[TABLE]
Thus
[TABLE]
By the choice of , we have that is at most for some positive . If is large enough, then so
[TABLE]
Then the Borel-Cantelli lemma shows that the set of all for which for infinitely many has -measure [math]. In other words, -almost everywhere we have for at most finitely many . It follows then from the definition of that -almost everywhere we have
[TABLE]
for all sufficiently large . Therefore -almost everywhere,
[TABLE]
By applying this for with and noting that the intersection of countably many sets of -measure has again -measure , we obtain the result of the theorem. ∎
4. Sequences defined by differential equations
In this section we study the expansion complexity of sequences characterized by the property that their generating function satisfies certain differential equations. For let denote the -th Hasse derivative defined by
[TABLE]
The first Hasse derivative is identical to the standard derivative. Moreover, it satisfies the chain rule
[TABLE]
for all . For more details see [7].
In this section we consider sequences whose generating function satisfies
[TABLE]
with polynomials .
In Theorem 3 below, we give bounds on the th expansion complexity of sequences over prime fields whose generating function satisfies a first order differential equation (7) with small degree coefficient polynomials.
One of the most important examples for such sequence is the explicit inversive generator over a prime field , with some prime , defined by
[TABLE]
with some , . Its generating function satisfies
[TABLE]
see Corollary 2 below.
Theorem 3**.**
Let be a sequence over . Assume, that its generating function satisfies
[TABLE]
with for some polynomials such that there is an with , and .
Let . Then
[TABLE]
Previously, only a few examples for sequences were known with large expansion complexity, all of them share the property (7). Namely, the sequences of binomial coefficients , defined by
[TABLE]
for some , whose generating function is by [10, Lemma 2], which satisfies
[TABLE]
and the explicit inversive generator defined by (8) with , see [9].
We also remark, that (9) defines a linear recurrence relation to the counter-dependent sequence in terms of and . This type of relations appears in the so called counter-dependent nonlinear recursive pseudorandom number generators. A counter-dependent nonlinear recursive pseudorandom number generator is of the form:
[TABLE]
This class of generators was introduced by Shamir and Tsaban in order to avoid unexpected short cycles (see Definition 2.4 of [11]) for . Special cases of this type of generators have been studied in relation with exponential sums and multiplicative character sums [1, 5, 8, 12]. For example, sequences whose generating function satisfies
[TABLE]
coincides with the special class of sequences proposed by Shparlinski and Winterhof [12], defined as .
In order to prove Theorem 3, we need the following result, see [3, Lemma 6].
Lemma 2**.**
Let be an irreducible polynomial of degree and let be an expansion sequence defined by . Let be a nonzero polynomial with
[TABLE]
Then is a multiple of .
Proof of Theorem 3.
Put . There is a nonzero element among and thus . Indeed, if , then by (9), a contradiction.
If , consider the sequence with and for . Let be the generating function of . Then if and only if . Thus whenever . As it holds for , we can assume that and .
Now suppose that the result does not hold for some , and fix as a minimal value such
[TABLE]
where . We can assume, that . Let such that and . First we prove, that is irreducible. Suppose, that and
[TABLE]
Then by the minimality of we have
[TABLE]
Thus
[TABLE]
a contradiction.
Taking the derivative of the equation we get
[TABLE]
thus multiplying it with the we get by (9) that
[TABLE]
The degree of
[TABLE]
is .
Let be an expansion sequence defined with for . As , is unique. Then by (10), (12) and by Lemma 2 we get that is a multiple of ,
[TABLE]
for some nonzero . Comparing the degrees of and with respect to , we get .
We show, that . Write
[TABLE]
We can assume, that and . The coefficient of in is
[TABLE]
If is a zero of , then it’s a zero of by (14) and thus it’s a zero of by (13). As , is also a zero of . Let be the multiplicity of in . As is a single zero of , its multiplicity of the left hand side of (15) is , while its multiplicity of the right hand side is at least , a contradiction.
Substituting in (14), we get
[TABLE]
Since , must be zero, otherwise it cannot be a constant multiple of its derivative. Thus the minimal polynomial of divides , a contradiction. ∎
Theorem 3 allows us to control the expansion complexity of the explicit inversive generator defined by (8). We remark, that for it was shown by Gómez-Pérez, Mérai and Niederreiter that the sequence has optimal expansion complexity, see [9]. Now we deal with the general case.
Corollary 2**.**
Let be the explicit inversive generator defined by (8) with , . Then we have
[TABLE]
for some absolute constant .
Proof.
For a stronger bound follows from [9, Theorem 8], thus we can assume, that .
As , we can assume, that . Write . Then
[TABLE]
Now
[TABLE]
On the other hand
[TABLE]
[TABLE]
For we have
[TABLE]
thus by Theorem 3 we have
[TABLE]
For (18) leads to
[TABLE]
and by Theorem 3 we get
[TABLE]
If , by (19) and if , we get by (20). Finally, using , we get for which gives the result. ∎
Remark*.*
The proof gives the stronger bounds on expansion complexity of the explicit inversive generator with parameters ,
[TABLE]
If the parameters are chosen uniformly from , then it provides a square-root bound for almost all parameters which is optimal, see [9, Theorem 1].
In Theorem 3 we gave lower bounds on the th expansion complexity of sequences whose generating function satisfies a first order differential equation (7). However, we conjecture that sequences with higher order differential equation (7) have also large expansion complexity.
Problem 1**.**
Let be a sequence in such that its generating function satisfies (7). Estimate the th expansion complexity of the sequence in terms of the coefficient polynomials of (7).
In [10], Mérai, Niederreiter and Winterhof studied the connection between the expansion and linear complexity of sequences. We recall, that the th linear complexity of a sequence over a finite field is zero if , otherwise the least positive such that there exist such that
[TABLE]
They proved, that large expansion complexity implies large linear complexity
[TABLE]
They also provided a lower bound on the expansion complexity in terms of the linear complexity, however the bound also depends on the linear recurrence relation (21).
Here we give lower bounds on the th linear complexity of sequences with (7) over arbitrary (i.e. not prime) finite fields. This result along with [10] motivates Problem 1.
Theorem 4**.**
For polynomials consider the differential operator ,
[TABLE]
with coprime coefficients such that it has no rational zero. If is a sequence over such that its generating function satisfies
[TABLE]
then
[TABLE]
with .
Remark*.*
Theorem 4 also holds with the standard derivative instead of the Hasse derivative. Thus one can also consider the analogue of Problem 1.
Proof.
For put . Then there exist polynomials , , , such that
[TABLE]
One can choose
[TABLE]
where and are the coefficients of the linear recurrence relation (21).
By the chain rule (6), and by (22) we get
[TABLE]
Then multiplying by we get
[TABLE]
Whence
[TABLE]
If , then is a zero of , as (23) holds for with equality, a contradiction.
Comparing the degrees of both sides we get
[TABLE]
which gives the result. ∎
Acknowledgement
D. G-P. is partially supported by project MTM2014-55421-P from the Ministerio de Economia y Competitividad and L. M. is partially supported by the Austrian Science Fund FWF Project I1751-N26 and P 31762.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Sanka Balasuriya, Igor E. Shparlinski, and Arne Winterhof. An average bound for character sums with some counter-dependent recurrence sequences. Rocky Mountain J. Math. , 39(5):1403–1409, 2009.
- 2[2] Leonard Carlitz et al. The distribution of irreducible polynomials in several indeterminates. Illinois Journal of Mathematics , 7(3):371–375, 1963.
- 3[3] Claus Diem. On the use of expansion series for stream ciphers. LMS Journal of Computation and Mathematics , 15:326–340, 2012.
- 4[4] David Eisenbud. Commutative algebra, volume 150 of Graduate Texts in Mathematics . Springer-Verlag, New York, 1995.
- 5[5] Edwin D. El-Mahassni and Arne Winterhof. On the distribution and linear complexity of counter-dependent nonlinear congruential pseudorandom number generators. JP J. Algebra Number Theory Appl. , 6(2):411–423, 2006.
- 6[6] Jean-Charles Faugere, Patrizia Gianni, Daniel Lazard, and Teo Mora. Efficient computation of zero-dimensional Gröbner bases by change of ordering. Journal of Symbolic Computation , 16(4):329–344, 1993.
- 7[7] David M. Goldschmidt. Algebraic functions and projective curves , volume 215 of Graduate Texts in Mathematics . Springer-Verlag, New York, 2003.
- 8[8] Domingo Gomez. Multiplicative character sums with counter-dependent nonlinear congruential pseudorandom number generators. In Sequences and their applications—SETA 2010 , volume 6338 of Lecture Notes in Comput. Sci. , pages 188–195. Springer, Berlin, 2010.
