AAECC 13, 319–326 (2002)

2002

Lattice Structure and Linear Complexityof Nonlinear Pseudorandom Numbers

Harald Niederreiter1, Arne Winterhof2

1 Department of Mathematics, National University of Singapore, 2 Science Drive 2,Singapore 117543, Republic of Singapore (e-mail: nied@math.nus.edu.sg)2 Institute of Discrete Mathematics, Austrian Academy of Sciences, Sonnenfelsgasse 19,1010 Vienna, Austria (e-mail: arne.winterhof@oeaw.ac.at)

Received: October 2, 2001

Abstract. It is shown that a q-periodic sequence over the finite field Fq passesan extended version of Marsaglia’s lattice test for high dimensions if and onlyif its linear complexity is large. The consequences of this result for nonlinearand inversive pseudorandom number generators are worked out.

Keywords: Pseudorandom number generator, Nonlinear method, Inversivemethod, Linear complexity, Marsaglia’s lattice test.

1 Introduction

Nonlinear methods for pseudorandom number generation provide an attractivealternative to linear methods (see the surveys in [6], [17, Chapter 8], [19], and[21]). Initially, (explicit) nonlinear pseudorandom numbers were defined overfinite prime fields Fp as p-periodic sequences η0, η1, . . . defined by

ηn = g(n) for 0 ≤ n < p,where g is a nonlinear polynomial over Fp. More recently, nonlinear methodsover arbitrary finite fields were introduced (see e.g. [7], [10], and [22]).

There is no formal definition for a good pseudorandom number generator,but there are certain characteristic features that we have in mind when we talkabout such a generator. In particular, we require a fine lattice structure, goodequidistribution properties, and statistical independence of successive pseudo-random numbers. The present paper deals with criteria for a fine lattice structure.

Let q be a prime power and Fq be the finite field of order q. We focuson pseudorandom number generators η0, η1, . . . over Fq , i.e., on q-periodic

320 H. Niederreiter, A. Winterhof

sequences over Fq . The following notion makes sense for arbitrary sequencesover Fq . For a given integer s ≥ 1 we say that a sequence η0, η1, . . . over Fqpasses the s-dimensional lattice test if the vectors η

n− η

0for n ≥ 0 span F sq ,

whereηn

= (ηn, ηn+1, . . . , ηn+s−1) for n ≥ 0.

Recently, a slightly different lattice test has been introduced by the authors in[23]. For congruential generators modulo a prime p, both lattice tests coincideand this test was proposed by Marsaglia [12].

In the present paper we first investigate the relationship between the lat-tice test and the linear complexity L(ηn) of a sequence η0, η1, . . . over Fq ,where L(ηn) is, by definition, the least nonnegative integer L such that thereare constants γ0, . . . , γL−1 ∈ Fq satisfying

ηn+L + γL−1ηn+L−1 + · · · + γ0ηn = 0 for all n ≥ L.The linear complexity is defined for any ultimately periodic sequence over Fq .We prove the following theorem in Section 2.

Theorem 1 The q-periodic sequence η0, η1, . . . ∈ Fq passes the s-dimensionallattice test if and only if

s < L(ηn).

If we fix an ordering Fq = {ξ0, . . . , ξq−1} of the elements of Fq , then aq-periodic sequence η0, η1, . . . of elements of Fq can be represented by auniquely determined polynomial g ∈ Fq[X] with deg(g) < q, that is,

ηn = g(ξn) for 0 ≤ n < q.For a special class of orderings of Fq , which can be considered as an exten-sion of the natural ordering {0, 1, . . . , p− 1} of a prime field Fp, we present anecessary and a sufficient condition on the degree of g for passing the s-dimen-sional lattice test in Section 3 and apply this result to some interesting nonlineargenerators.

In Section 4 we apply Theorem 1 to recursively defined nonlinear pseudo-random number generators, that is,

ηn+1 = f (ηn) for n ≥ 0

with f ∈ Fq[X] and some initial value η0. In particular, we consider inversivegenerators.

For finite prime fields the result of Theorem 1 is well known, but the proofcannot be extended to arbitrary finite fields. Eichenauer, Grothe, and Lehn[5] proved that a nonlinear generator η0, η1, . . . over Fp passes the s-dimen-sional lattice test if and only if s ≤ deg(g) (see also [17, Theorem 8.2] fora short proof) and Blackburn, Etzion, and Paterson [1, Theorem 8] provedL(ηn) = deg(g) + 1. Combining these results yields Theorem 1 for the caseq = p.

Lattice Structure and Linear Complexity 321

2 Lattice Test and Linear Complexity

In this section we prove Theorem 1

Put ηn

= (ηn, ηn+1, . . . , ηn+s−1) for n ≥ 0 and let V be the subspace of F sqspanned by all η

n− η

0for n ≥ 0.

First we assume that the sequence η0, η1, . . . does not pass the s-dimen-sional lattice test. Then dim(V ) < s and dim(V ⊥) ≥ 1. Take 0 �= α ∈ V ⊥,then

α · (ηn− η

0) = 0 for all n ≥ 0

and thusα · η

n= α · η

0=: b for all n ≥ 0,

where · denotes the usual inner product. If α = (α0, α1, . . . , αs−1), then let jbe the largest index with αj �= 0 (so 0 ≤ j < s). Then

α0ηn + α1ηn+1 + · · · + αjηn+j = b for all n ≥ 0 (1)

and

α0ηn+1 + α1ηn+2 + · · · + αjηn+j+1 = b for all n ≥ 0. (2)

Subtracting (1) from (2) yields

−α0ηn + (α0 − α1)ηn+1 + · · · + αjηn+j+1 = 0 for all n ≥ 0.

Thus, the sequence η0, η1, . . . satisfies a linear recurrence relation of order j+1,hence

L(ηn) ≤ j + 1 ≤ s.It is obvious that if a sequence fails the lattice test in a certain dimension,

then it also fails the lattice test in all higher dimensions. Thus, to complete theproof, it suffices to show that the sequence η0, η1, . . . fails the s-dimensionallattice test for s = L := L(ηn), provided that L ≥ 1. We can indeed assumethat L ≥ 1 since the theorem is trivial when L = 0, i.e., when we have the zerosequence. In the following, we use some concepts and facts from the theoryof linear recurring sequences over finite fields (see [11, Chapter 6]). Since thesequence η0, η1, . . . has period q, it is a linear recurring sequence with charac-teristic polynomial Xq − 1 = (X − 1)q ∈ Fq[X]. Consequently, its minimalpolynomial is (X− 1)L. (See also [4, Lemma 8.2.1].) Since (X− 1)L is also acharacteristic polynomial of the sequence η0, η1, . . ., we get

�Lηn = 0 for all n ≥ 0,

where �k denotes the kth iterate of the difference operator �σn = σn+1 − σndefined on any sequence σ0, σ1, . . . over Fq . It follows that

�(�L−1ηn

) = 0 for all n ≥ 0.

322 H. Niederreiter, A. Winterhof

A sequence is annihilated by � if and only if it is a constant sequence, and so

�L−1ηn = �L−1η0 for all n ≥ 0.

Thus, with certain coefficients γ0, . . . , γL−2 ∈ Fq and γL−1 = 1 ∈ Fq we have

L−1∑i=0

γi(ηn+i − ηi) = 0 for all n ≥ 0.

This means that the nonzero vector γ = (γ0, . . . , γL−1) ∈ FLq belongs to V ⊥,hence dim(V ⊥) ≥ 1 and dim(V ) < L. Thus, the sequence η0, η1, . . . fails theL-dimensional lattice test. �

Remarks1. In the first part of the above proof the condition that η0, η1, . . . beq-periodic was not used. Thus, for any sequence η0, η1, . . . ∈ Fq the prop-erty dim(V ) < s always implies L(ηn) ≤ s. On the other hand, it is easilyseen that L(ηn) < s always implies dim(V ) < s.

2. If the sequence η0, η1, . . . ∈ Fq has least period q, then

L(ηn) ≥ q

p+ 1 (3)

by [1, Proposition 2], and so the sequence passes the s-dimensional latticetest for all s ≤ q/p.

3 Explicitly Defined Generators

In this section we present the following result on passing or failing the s-di-mensional lattice test.

Corollary 1 Let p be a prime, q = pr , {β1, β2, . . . , βr} a basis of Fq over Fp,and g ∈ Fq[X]. For integers 0 ≤ n1, n2, . . . , nr < p and n = n1 + n2p +· · · + nrpr−1 put

ξn = n1β1 + · · · + nrβr .Then the q-periodic sequence η0, η1, . . . , defined by

ηn = g(ξn) for 0 ≤ n < qpasses the s-dimensional lattice for all

s < (deg(g)+ 1 + p − q) qp

and fails the s-dimensional lattice test for all

s ≥ (deg(g)+ 1)p

q+ q − p.

Lattice Structure and Linear Complexity 323

Proof. By [15, Theorem 1] we have

(deg(g)+ 1 + p − q) qp

≤ L(ηn) ≤ (deg(g)+ 1)p

q+ q − p

and the result follows easily from Theorem 1. �

Remarks1. Let η = η−1 if η ∈ F ∗

q and 0 = 0. For given α ∈ F ∗q and β ∈ Fq with q ≥ 3,

the explicit inversive generator is defined by

ηn = αξn + β = α−1(ξn + α−1β)q−2 for n = 0, 1, . . . .

Recently, it has been demonstrated in [22] that pseudorandom numbers de-rived from the explicit inversive generator have desirable statistical inde-pendence properties. These pseudorandom numbers show a good behaviorunder the lattice test as well. The sequence η0, η1, . . . passes the s-dimen-sional lattice test for all s < q − q/p by Corollary 1.

2. Let γ be a primitive element of Fq . Then the following function is closelyrelated to the Diffie-Hellman problem (see e.g. [24, Chapter 8]),

g(γ l) = γ l2

for 0 ≤ l ≤ q − 2.

The unique polynomial of degree ≤ q − 2 representing g is also denoted byg. By [14, Corollary 1] and [15, Theorem 1] we have the following lowerbound on the linear complexity of the corresponding sequence η0, η1, . . .

defined by ηn = g(ξn):

L(ηn) ≥{q − 2q/p if q ≡ 1 mod 4,q − q/p otherwise.

Hence, the sequence η0, η1, . . . passes the s-dimensional lattice test for

s <

{q − 2q/p if q ≡ 1 mod 4,q − q/p otherwise,

by Theorem 1.3. The sequence defined by the function g(γ l) = ξl is closely related to the

discrete logarithm (see e.g. [16]). We have

L(ηn) ≥ q − q

p

by [13, Theorem 5], and thus the sequence η0, η1, . . . passes the s-dimen-sional lattice test for all s < q − q/p by Theorem 1.

324 H. Niederreiter, A. Winterhof

4 Recursively Defined Generators

In this section we study the lattice structure of pseudorandom number genera-tors defined by a recurrence relation over Fq of the form

ηn+1 = f (ηn) for n ≥ 0 (4)

with some initial value η0 and f ∈ Fq[X] a nonlinear polynomial. It is obviousthat this sequence is ultimately periodic with least period t ≤ q. Throughoutthis section we assume that this sequence ist purely periodic with the largestpossible value of t , i.e., t = q. In this case it has linear complexity at leastq/p + 1 and passes the s-dimensional lattice test for all s ≤ q/p by (3).For prime fields Fp the sequence passes the s-dimensional lattice test for alls ≤ �p/ deg(f )� if deg(f ) ≥ 2 (see [20, Theorem 5]).

For some special polynomials we can improve (3) considerably. For givenα ∈ F ∗

q and β ∈ Fq with q ≥ 3, let ψ be the permutation of Fq defined by

ψ(ξ) = αξq−2 + β ={αξ−1 + β if ξ �= 0,β if ξ = 0.

(5)

Let η0, η1, . . . be the sequence of elements of Fq obtained by the recurrencerelation

ηn+1 = ψ(ηn) for n ≥ 0, (6)

where η0 is the initial value. Obviously, this sequence is purely periodic withleast period t ≤ q. It is known when such a sequence achieves the largest valueof t , i.e., t = q (see [2], [18]).

Theorem 2 A sequence η0, η1, . . . ∈ Fq defined by (5) and (6) with least pe-riod t = q has linear complexity at least �q/2� and passes the s-dimensionallattice test for all

s ≤ q − 1

2.

Proof. Let L be the linear complexity of the sequence η0, η1, . . .. Then withγL = 1 we have

L∑i=0

γiηn+i = 0 for all n ≥ 0.

Since η0, η1, . . . is periodic, we have γ0 �= 0. (Otherwise the sequence wouldsatisfy a recurrence relation of order smaller than L.)

Let us consider the following sequence of rational functions over Fq :

H0(X) = X and Hi(X) = Hi−1(αX−1 + β) for i ≥ 1.

Lattice Structure and Linear Complexity 325

It is obvious that this sequence ist purely periodic. Denote by T the least period.Obviously, T ≥ t = q. For j ≥ 0 let Ej denote the set of poles of the rationalfunctions H0, . . . , Hj . Thus |Ej | ≤ j . By induction we have

ψj(ξ) = Hj(ξ) for all ξ ∈ Fq \ Ej .By an obvious extension of [9, Lemma 1] to arbitrary finite fields, we haveeither L ≥ q or H(X) := ∑L

j=0 γjHj(X) does not vanish identically. In thelatter case we see that Hi(X) = fi(X)/gi(X) are nonconstant rational func-tions, where fi, gi ∈ Fq[X] with max(deg(fi), deg(gi)) = 1. Hence, H(X) =F(X)/G(X)with F,G ∈ Fq[X] and deg(F ) ≤ L. On the other hand, we haveF(ξ) = H(ξ) = 0 for all ξ ∈ Fq \EL and thus deg(F ) ≥ q − L. Hence in allcases we have L ≥ q/2 and the second assertion follows by Theorem 1. �

Remark. In the case of prime fields Fp with p ≥ 5 the sequence defined by(5) and (6) passes the s-dimensional lattice test for all

s ≤{(p + 3)/2 if p ≡ 3 mod 4 by [8],(p + 1)/2 otherwise by [17, Theorem 8.5].

In some special cases, e.g. when p is a Mersenne prime and the parametersα and β are chosen suitably, it can be shown that the sequence passes thes-dimensional lattice test for all s ≤ p − 2 (see [3]).

Acknowledgement. This paper was written during a visit of the second author to the NationalUniversity of Singapore. He wishes to thank the Institute for Mathematical Sciences for hospi-tality and financial support.

References

1. Blackburn, S.R., Etzion, T., Paterson, K.G.: Permutation polynomials, de Bruijn sequences,and linear complexity. J. Comb. Th. A 76 (1), 55–82 (1996)

2. Chou, W.-S.: The period lengths of inversive pseudorandom vector generations. Finite FieldsAppl. 1 (1), 126–132 (1995)

3. Chou, W.-S., Niederreiter, H.: On the lattice test for inversive congruential pseudorandomnumbers. In: Niederreiter, H., Shiue, P.J.-S. (eds.): Monte Carlo and Quasi-Monte CarloMethods in Scientific Computing. Lecture Notes in Statistics 106, pp. 186–197. New York:Springer 1995

4. Cusick, T. W., Ding, C., Renvall, A.: Stream Ciphers and Number Theory. Amsterdam: Else-vier 1998

5. Eichenauer, J., Grothe, H., Lehn, J.: Marsaglia’s lattice test and non-linear congruentialpseudo random number generators. Metrika 35 (3/4), 241–250 (1988)

6. Eichenauer-Herrmann, J., Herrmann, E., Wegenkittl, S.: A survey of quadratic and inversivecongruential pseudorandom numbers. In: Niederreiter, H., et al. (eds.): Monte Carlo andQuasi-Monte Carlo Methods 1996. Lecture Notes in Statistics 127, pp. 66–97. New York:Springer 1998

7. Eichenauer-Herrmann, J., Niederreiter, H.: Digital inversive pseudorandom numbers. ACMTrans. Modeling and Computer Simulation 4 (4), 339–349 (1994)

326 H. Niederreiter, A. Winterhof

8. Flahive, M., Niederreiter, H.: On inversive congruential generators for pseudorandom num-bers. In: Finite Fields, Coding Theory, and Advances in Communications and Computing(Las Vegas, NV, 1991), Lecture Notes in Pure and Appl. Math. 141, pp. 75–80. New York:Dekker 1993

9. Gutierrez, J., Niederreiter, H., Shparlinski, I. E.: On the multidimensional distribution ofinversive congruential pseudorandom numbers in parts of the period. Monatsh. Math.129 (1), 31–36 (2000)

10. Levin, M. B.: Explicit digital inversive pseudorandom numbers. Math. Slovaca 50 (5), 581–598 (2000)

11. Lidl, R., Niederreiter, H.: Introduction to Finite Fields and Their Applications, rev. ed. Cam-bridge: Cambridge University Press 1994

12. Marsaglia, G.: The structure of linear congruential sequences. In: Zaremba, S.K. (ed.): Ap-plications of Number Theory to Numerical Analysis, pp. 249–285. New York: AcademicPress 1972

13. Meidl, W., Winterhof, A.: Lower bounds on the linear complexity of the discrete logarithmin finite fields. IEEE Trans. Inform. Th. 47, 2807–2811 (2001)

14. Meidl, W., Winterhof,A.:A polynomial representation of the Diffie-Hellman mapping.Appl.Alg. Engrg. Comm. Comp., to appear

15. Meidl, W., Winterhof, A.: Linear complexity and polynomial degree of a function over afinite field. In: Proc. 6th Conf. Finite Fields and Applications, to appear

16. Mullen, G. L., White, D.: A polynomial representation for logarithms inGF(q). Acta Arith.47 (3), 255–261 (1986)

17. Niederreiter, H.: Random Number Generation and Quasi-Monte Carlo Methods. Philadel-phia: SIAM 1992

18. Niederreiter, H.: Pseudorandom vector generation by the inversive method. ACM Trans.Modeling and Computer Simulation 4 (2), 191–212 (1994)

19. Niederreiter, H.: New developments in uniform pseudorandom number and vector genera-tion. In: Niederreiter, H., Shiue, P.J.-S. (eds.): Monte Carlo and Quasi-Monte Carlo Methodsin Scientific Computing. Lecture Notes in Statistics 106, pp. 87–120. New York: Springer1995

20. Niederreiter, H., Shparlinski, I. E.: On the distribution and lattice structure of nonlinearcongruential pseudorandom numbers. Finite Fields Appl. 5 (3), 246–253 (1999)

21. Niederreiter, H., Shparlinski, I. E.: Recent advances in the theory of nonlinear pseudorandomnumber generators. In: Fang, K.-T., Hickernell, F.J., Niederreiter, H. (eds.): Monte Carlo andQuasi-Monte Carlo Methods 2000, pp. 86–102. Berlin: Springer 2002

22. Niederreiter, H., Winterhof, A.: Incomplete exponential sums over finite fields and theirapplications to new inversive pseudorandom number generators. Acta Arith. 93 (4),387–399 (2000)

23. Niederreiter, H., Winterhof, A.: On the lattice structure of pseudorandom numbers generatedover arbitrary finite fields. Appl. Alg. Engrg. Comm. Comp. 12 (3), 265–272 (2001)

24. Shparlinski, I. E.: Number Theoretic Methods in Cryptography. Basel: Birkhauser 1999