0.16 MB

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

The detailed autocorrelation distribution and 2-adic complexity of a classes of binary sequences with almost optimal autocorrelation 7 1 0 Yuhua Sun1,2,3, Qiang Wang2, Tongjiang Yan1,3 2 1 College of Sciences, China University of Petroleum, r a Qingdao 266555, Shandong, China M 2 School of Mathematics and Statistics, 8 1 Carleton University, Ottawa , Ontario,K1S 5B6, Canada ] 3 Key Laboratory of Network Security and Cryptology, T Fujian Normal University, Fuzhou, Fujian 350117, China I . s Email: sunyuhua 1@163.com; wang@math.carleton.ca; yantoji@163.com c [ March 21, 2017 3 v 6 6 7 Abstract 3 0 Pseudo-randomsequenceswithgoodstatisticalproperty,suchaslowautocorrelation,highlinear . complexity and large 2-adic complexity, have been used in designing reliable stream ciphers. In 1 this paper, we obtain the exact autocorrelation distribution of a class of sequence with three-level 0 autocorrelation and analyze the 2-adic complexity of this sequence. Our results show that the 7 1 2-adic complexity of the sequence is at least (N +1)−log2(N +1) and that in many cases it is : maximal,whichislargeenoughtoresisttheattackoftherationalapproximationalgorithm(RAA) v for feedback with carry shift registers (FCSRs). Xi Index Terms.stream ciphers; pseudo-random sequences; autocorrelation; 2-adic complexity; r a 1 INTRODUCTION Pseudo-randomsequenceswithgoodstatisticalpropertyarewidelyusedasbasicblocksforconstructing streamciphers. Anykeystreamgeneratorscouldbeimplementedbybothlinearfeedbackshiftregisters (LFSRs) and feedback with carry shift registers (FCSRs). However, after the Berlekamp-Massey algo- rithm (BMA) for LFSRs [13] andthe rationalapproximationalgorithmfor FCSRs [10] were presented, linear complexity and 2-adic complexity of the key stream sequence have been regarded as the critical 1The work issupported by Shandong Provincial Natural Science Foundation of China(No. ZR2014FQ005, The Fun- damental Research Funds for the Central Universities(No. 15CX02065A, No. 15CX08011A, No. 15CX02056A, No. 16CX02013A, No. 16CX02009A), Fujian Provincial Key Laboratory of Network Security and Cryptology Research Fund(FujianNormalUniversity)(No.15002). 1 security criteria and requiredto be no less than one half of the period. Autocorrelationis another crit- ical statistical measure of the key stream sequence. Although the linear complexity of many classes of sequenceshavebeenobtained(See[3]-[4]),thereareonlyahandfulresearchpapersthatfocuson2-adic complexity. For example, in 1997, Klapper has pointed out that an m-sequence with prime period has maximal 2-adic complexity [10]. In 2010, Tian and Qi showed that the 2-adic complexity of all the binary m-sequencesis maximal[17]. Afterwards,Xiong et al. [22] presenteda new method of circulant matrices to compute the 2-adic complexities of binary sequences. Several recent results show that the 2-adic complexity of a sequence possesses a close relationship with its another critical statistical property (i.e., autocorrelation). In [22], Xiong et al showed that all the known sequences with ideal 2-level autocorrelation have maximum 2-adic complexity. Moreover, in [2], Ding et al proved that the 2-adic complexities of Legendre sequences and Ding-Helleseth-Lam sequenceswithoptimalautocorrelationarealsomaximal. Then,usingthe samemethodasthatin[22], Xiongetal. [23]pointedoutthattwootherclassesofsequencesbasedoninterleavedstructurehavealso maximal 2-adic complexity. One of these two classes of sequences was constructed by Tang and Ding [15], which has optimal autocorrelation,the other was constructed by Zhou et al [24], which is optimal with respect to the Tang-Fan-Matsufuji bound [16]. Recently, Hu [7] presented a simpler method to obtain the results of Xiong et al. [22], using detailed autocorrelationvalues. In [1], Cai and Ding gave a generic construction of a large class of sequences with almost optimal autocorrelation, using almost diﬀerence sets. Then Wang [18] and Sun et al [14] proved that most of these sequences have high linear complexity. Meanwhile, Sun et al [14] generalized Cai and Ding’s constructionusingd-formfunctionwithdiﬀerence-balancedpropertyandobtainedmoresequenceswith almostoptimal autocorrelationin this way. In this paper, motivated by Hu’s method [7], we determine the exact autocorrelation distribution and obtain a lower bound on the 2-adic complexity of these sequences. Our result shows that the low bound for this class of sequences with period N is at least (N+1)−log (N+1) andthat in many cases it is maximal, which is largeenough to resistagainstthe 2 rational approximation algorithm (RAA) attack for feedback with carry shift registers (FCSRs). The rest of this paper is organized as follows. Some neccesary deﬁnitions, notations, and previous results are introduced in Section 2. The exact autocorrelationdistribution of a class of almost optimal autocorrelationsequencesthatgeneralizedfromCaiandDing [1]by Sunetal[14]is giveninSection3. In Section 4, the lower bounds on the 2-adic complexities of these sequences will be presented. Finally we summarize our results and give some remarks in Section 5. 2 2 Preliminaries Let N be a positive integer and s = (s ,s ,··· ,s ) a binary sequence of period N. Let S(x) = 0 1 N−1 N−1 s xi ∈Z[x]. Then we write i i=0 P N−1 s 2i i S(2) p = i=0 = , 0≤p≤q, gcd(p,q)=1. (1) 2N −1 2PN −1 q The 2-adic complexity Φ (s) of the sequence s is the integer ⌊log q⌋, i.e., 2 2 2N −1 Φ (s)= log , (2) 2 2gcd(2N −1,S(2)) (cid:22) (cid:23) where ⌊x⌋ is the greatest integer that is less than or equal to x. Let C = {0≤ i≤N −1: s =1} be the support of s. Then s is called the characteristic sequence i of C. The autocorrelation of s is deﬁned by N−1 AC(τ)= (−1)si+si+τ, τ =0,1,2,··· ,N −1, (3) i=0 X whereτ ∈Z . ItiswellknownthatAC(τ)≡N (mod 4)forallτ ∈Z . Moreover,itcanbecomputed N N by AC(τ)=N −4(|C|−d (τ)), (4) C where d (τ) is the diﬀerence function of the support C such that τ +C ={τ +i|i∈C} and C d (τ)=|C∩(τ +C)|. (5) C Deﬁnition 1 Let (G,+) be a cyclic group with N elements and C be a k-element subset of G . Sup- posing the variable τ ranges over all the nonzero elements of G. If d (τ) always takes on the value λ, C then C is called a (N,k,λ) cyclic diﬀerence set of G; if d (τ) takes on λ altogether t times and λ+1 C altogether N −1−t times, then C is called a (N,k,λ,t) cyclic almost diﬀerence set (CADS) in G. According to Eq. (4), when the support C of a sequence s is a (N,k,λ,t) cyclic almost diﬀerence set, the autocorrelationof s is N, for 1 time, AC(τ)= N −4(k−λ), for t times, (6) N −4(k−λ−1), for N −1−t times. 3 Therefore, under the assumption N ≡ 3 (mod 4)), a sequence s of period N has almost optimal autocorrelationif and only if AC(τ)=−1 or 3 for all τ 6≡0 (mod N) (see [1]). Let q be a power of a prime and n a positive integer. Deﬁnition 2 Afunctionf from F toF iscalled ad-form functionon F over F iff(xy)=ydf(x) qn q qn q for any x∈F and y ∈F . qn q Deﬁnition 3 A function from F to F is said to be balanced if the element 0 appears one less time qn q than each nonzero element in F in the list f(α0), f(α1),··· ,f(αqn−2), where α is a primitive element q of F . qn Deﬁnition 4 Let f(x) be a d-form function on F over F and gcd(d,qn−1)=1. Then the function qn q f(x) is called diﬀerence-balanced if f(xz)−f(x) is balanced for any z ∈F \{1}. qn Earlier, Sun et al [14] extended Cai and Ding’s construction [1] to obtain the following almost diﬀerence sets. Lemma 1 [14] Let m be a positive integer, α a primitive element of the ﬁnite ﬁeld F and f(x) a 22m d-form function from F to F with diﬀerence-balanced property. Suppose that C′ is any (2m − 22m 2m 1 1,2m−1 −1,2m−2 −1) diﬀerence set in (Z ,+). Deﬁne C = {(2m +1)i | i ∈ C′}, C = {i ∈ 2m−1 1 1 2 Z | f(αi) = 1}, C = C +C = {(c +c ) (mod 22m − 1) | c ∈ C ,c ∈ C }. Then C is 22m−1 1 2 1 2 1 1 2 2 a (22m −1,22m−1−2m,22m−2−2m,2m −2) almost diﬀerence set in (Z ,+). Furthermore, the 22m−1 characteristic sequence of the set C has the out-of-phase autocorrelation values {−1,3} only. In the sequel, we also need the following number theoretical results. Deﬁnition 5 A composite number n is called a 2-pseudoprime if 2n−1 ≡1 (mod n). For exmple, both 341=11·31 and 561=3·11·17 are 2-pseudoprimes. Lemma 2 [11] If n is a 2-pseudoprime, then 2n−1 is a 2-pseudoprime. Therefore, there are inﬁnitely many 2-pseudoprimes. 3 Detailed autocorrelation distribution of sequences general- ized from Cai and Ding by Sun et al. Inthissection,wederivetheexactautocorrelationdistributionofthesequencesconstructedinLemma 1. Previously, we know that the autocorrelation of this sequence is almost optimal, however, it is not good enough to help us determine the lower bound on its 2-adic complexity. In order to achieve our goal, we use Eq. (6) and Lemma 1 to ﬁnd out the exact autocorrelationdistribution of s. 4 Lemma 3 Let f(x) be a d-form function on F over F with diﬀerence-balanced property. Deﬁne qn q H = {x ∈ F∗ | f(x) = a, a ∈ F∗}. Then, for a primitive element β of F and i ∈ {1,2,··· ,q−2}, a qn q q we must have βix∈/ H for any x∈H and |H |=qn−1. a a a Proof.Bythedeﬁnitionofd-formfunction,f(βix)=βidf(x)foranyx∈F . Ifx∈H andβix∈H , qn a a we get βid = 1, which is impossible since gcd(d,q−1)= 1 and i ∈{1,2,··· ,q−2}. Additionally, the diﬀerence-balanced property guarantees |H |=qn−1. a Lemma 4 Let all the symbols be the same as those in Lemma 1. Suppose that τ = (2m+1)τ , where 1 τ ∈{1,2,··· ,2m−2}. Then 1 d (τ)=|C∩(C+τ)|=22m−2−2m. C Proof. Let c = (2m+1)i with a ﬁxed i ∈ C′ such that i+τ ∈ C′. Then, for any c ∈ C , we can 1 1 1 1 2 2 see that c = c +c ∈ C and c+τ = c +c +τ = (2m +1)(i+τ )+c ∈ C. Conversely, for any 1 2 1 2 1 2 c∈C, the pair(c ,c ) suchthatc=c +c with c ∈C andc ∈C is unique. Moreover,thereexists 1 2 1 2 1 1 2 2 exactly one i∈C′ such that c =(2m+1)i and c+τ =(2m+1)(i+τ )+c ∈C. Indeed, by the ﬁrst 1 1 1 2 conclusionof Lemma 3, c +(2m+1)k∈/ C for anyc ∈C andanyk ∈{1,2,··· ,2m−2}. Therefore, 2 2 2 2 c=c +c ∈C and c+τ ∈C if and only if (2m+1)(i+τ )∈C , i.e., i+τ ∈C′. 1 2 1 1 1 1 Hence, dC(τ)=|C∩(C+τ)|=|C2|·|C1′ ∩(C1′ +τ1)|=|C2|·dC1′. By the assumption that C′ is a (2m − 1,2m−1 − 1,2m−2 − 1) diﬀerence set in (Z ,+). Then 1 2m−1 dC′ =2m−2−1. Furthermore,|C2|=2mbyLemma3. Theresultfollows. 1 Theorem 1 Let m be a positive integer, α a primitive element of F and f(x) a d-form function 22m from F to F with diﬀerence-balanced property. Suppose that C′ is any (2m−1,2m−1−1,2m−2−1) 22m 2m 1 diﬀerence set in (Z ,+). Deﬁne C = {(2m +1)i | i ∈ C′}, C = {i ∈ Z | f(αi) = 1}, 2m−1 1 1 2 22m−1 C = C + C = {(c + c ) (mod 22m − 1) | c ∈ C ,c ∈ C }. Then the exact autocorrelation 1 2 1 2 1 1 2 2 distribution of the characteristic sequence s of C is given by −1, τ ∈{(2m+1)τ |τ =1,2,··· ,2m−2}, 1 1 AC(τ)= ( 3, 1≤τ ≤22m−2, but τ ∈/ {(2m+1)τ1 |τ1 =1,2,··· ,2m−2}. Proof. First of all, from the parameters of the almost diﬀerence set C in Lemma 1, we know that |C|=22m−1−2m and that there are 2m−2 τ’s such that the autocorrelation AC(τ)=−1. Secondly, by Lemma 4 we have d (τ)=|C∩(C+τ)|=22m−2−2m for τ ∈{(2m+1)τ |τ =1,2,··· ,2m−2}. C 1 1 Then, using Eq. (4), we get AC(τ) = −1 for τ ∈ {(2m+1)τ | τ = 1,2,··· ,2m−2}. Note that the 1 1 size of the set {(2m+1)τ |τ =1,2,··· ,2m−2} is exactly 2m−2. Therefore the proof is complete. 1 1 5 4 Lower bounds on the 2-adic complexity of sequences gener- alized from Cai and Ding by Sun et al. Recall that the sequence s in Lemma 1 has the period N = 22m −1. In the following we let S(x) = N−1 N−1 sixi and T(x)= (−1)sixi ∈Z[x]. i=0 i=0 P P N−1 N−1 Lemma 5 Let S(x)= sixi and T(x)= (−1)sixi ∈Z[x]. Then i=0 i=0 P P N−1 N−1 −2S(x)T(x−1)≡N + AC(τ)xτ −T(x−1) xi (mod xN −1). (7) ! τ=1 i=0 X X proof. According to the deﬁnition of T(x), we have N−1 N−1 T(x)T(x−1) ≡ (−1)sixi (−1)sjx−j (mod xN −1) ! i=0 j=0 X X N−1N−1 ≡ (−1)si+sjxi−j (mod xN −1) i=0 j=0 X X N−1N−1 ≡ N + (−1)sj+τ+sjxτ (mod xN −1) τ=1 j=0 X X N−1 ≡ N + AC(τ)xτ (mod xN −1). (8) τ=1 X Furthermore, we have N−1 N−1 N−1 T(x)= (−1)sixi = (1−2si)xi = xi−2S(x). (9) i=0 i=0 i=0 X X X Combining Eqs. (8)−(9), we obtain the result. (cid:3) EmployingLemma5andthedetailedautocorrelationdistributionofs, wecanobtainthe following. Lemma 6 Let m be a positive integer, N =22m−1, and s be the binary sequence with almost optimal autocorrelation in Lemma 1. Then 2N −1 S(2)T(2−1)≡−2 (22m−2− (mod 2N −1)). (10) 22m+1−1 (cid:18) (cid:19) 6 proof. Recall that C = {(2m +1)τ |τ = 1,2,··· ,2m −2} in Lemma 5. In convenience, we denote 1 1 1 Z⋆ = {1,2,··· ,N −1}. Substituting the autocorrelation in Theorem 1 into Eq. (7) in Lemma 5, we N can see N−1 N−1 −2S(x)T(x−1) ≡ N + AC(τ)xτ −T(x−1) xi (mod xN −1) ! τ=1 i=0 X X ≡ N + 3·xτ + (−1)·xτ τ∈ZX⋆N\C1 τX∈C1 N−1 −T(x−1) xi (mod xN −1) ! i=0 X ≡ N + 3·xτ + (−3)·xτ + (−1)·xτ τX∈Z⋆N τX∈C1 τX∈C1 N−1 −T(x−1) xi (mod xN −1) ! i=0 X ≡ N + 3·xτ + (−4)·xτ (11) τX∈Z⋆N τX∈C1 N−1 −T(x−1) xi (mod xN −1) ! i=0 X N−1 2m−2 ≡ N + 3·xτ + (−4)·x(2m+1)τ1 τX=1 τX1=1 N−1 −T(x−1) xi (mod xN −1) ! i=0 X N−1 2m−2 ≡ N −3 1− xτ + 4−4· x(2m+1)τ1 ! ! τX=0 τX1=0 N−1 −T(x−1) xi (mod xN −1) ! i=0 X 4(xN −1) N−1 ≡ N +1− −(1+T(x−1)) xi (mod xN −1). x2m+1−1 ! i=0 X 7 Then, substituting 2 for x we have 4(2N −1) −2S(2)T(2−1) ≡ N +1− (mod 2N −1)) 22m+1−1 2N −1 ≡ 4 22m−2− (mod 2N −1)). 22m+1−1 (cid:18) (cid:19) The result follows. (cid:3) In order to give the lower bound on the 2-adic complexity, we also need the following simple result in number theory whose proof is omitted here. Lemma 7 Let n′, m′ be any positive integer. Then 2n′m′ −1 ≡n′ (mod 2m′ −1). 2m′ −1 Now we give a general lower bound on the 2-adic complexity for the sequence s constructed in Lemma 1. Theorem 2 Let m be a positive integer, α a primitive element of F and f(x) a d-form function 22m from F to F with diﬀerence-balanced property. Suppose that C′ is any (2m−1,2m−1−1,2m−2−1) 22m 2m 1 diﬀerenceset in (Z2m−1,+), C1 ={(2m+1)i|i∈C1′}, C2 ={i∈Z22m−1|f(αi)=1}and C =C1+C2 = {(c +c ) (mod ()22m−1)|c ∈ C ,c ∈ C }. Denote s to be the characteristic sequence of C. Then 1 2 1 1 2 2 the 2-adic complexity Φ (s) of s is bounded by 2 Φ (s)≥(N +1)−log (N +1). (12) 2 2 Proof. Above all, from the known conditions, we know that m≥2. It is easy to see that gcd S(2),2N −1 |gcd S(2)T(2−1),2N −1 (cid:0) (cid:1) (cid:0) (cid:1) and that the product 2N −1 gcd S(2)T(2−1), gcd S(2)T(2−1),22m+1−1) 22m+1−1 (cid:18) (cid:19) (cid:16) (cid:17) is divided by gcd S(2)T(2−1),2N −1 . Then we get (cid:0) (cid:1) 2N −1 gcd S(2),2N −1 | gcd S(2)T(2−1), 22m+1−1 (cid:18) (cid:18) (cid:19) (cid:0) (cid:1) gcd S(2)T(2−1),22m+1−1 . (13) (cid:16) (cid:17)(cid:17) 8 By Lemma 6, we have 2N −1 S(2)T(2−1) ≡ −2(22m−2− ) (mod 2N −1) 22m+1−1 2N −1 ≡ −22m−1 (mod ). 22m+1−1 Then we have 2N −1 2N −1 gcd(S(2)T(2−1), )=gcd(22m−1, )=1. (14) 22m+1−1 22m+1−1 Upper bound of gcd S(2)T(2−1),22m+1−1 is considered in the following. Note that N =22m−1= (2m−1)(2m+1). By(cid:0) Lemma 7, we get (cid:1) 2N −1 ≡2m−1 (mod 22m+1−1). 22m+1−1 Then, by Lemma 6 again, we have 2N −1 S(2)T(2−1) ≡ −2 22m−2− (mod 2N −1) 22m+1−1 (cid:18) (cid:19) ≡ −2 22m−2−2m+1 (mod 22m+1−1) (cid:0) (cid:1) Accordingly, we know that gcd S(2)T(2−1),22m+1−1 =gcd 22m−2−2m+1,22m+1−1 . (15) (cid:16) (cid:17) (cid:16) (cid:17) Note that 22m−2−2m+1<22m−2+1<22m+1−1 (m≥2). Therefore we obtain an upper bound of gcd(S(2)T(2−1),22m+1−1) gcd(S(2)T(2−1),22m+1−1)≤22m−2−2m+1<22m−2−1. (16) Combining Eqs. (13),(14) and (16), we have gcd(S(2),2N −1)≤22(m−1)−1. Therefore, by Eq. (2), the 2-adic complexity Φ (s) of s is bounded by 2 2N −1 Φ (s) = ⌊log ⌋≥(N −1)−2(m−1) 2 2gcd(S(2),2N −1) = N −2m+1=(N +1)−log (N +1). 2 (cid:3) 9 Remark 1 From the result of Theorem 2, it is easy to test that the lower bound in Eq.(12) is larger than N for any positive integer m. Hence, the 2-adic complexity of s is large enough to resist RAA. In 2 fact, in many cases, the lower bound can be maximal. In the following, we will discuss these cases. Lemma 8 Let m−1 be a prime or a 2-pseudoprime. Then we have 25−1, if m−1≡5 (mod 20), gcd S(2)T(2−1),22m+1−1 = ( 1, otherwise. (cid:16) (cid:17) Proof. Note that 22m−2−2m+1=(2m−1−1)2. Then, by Eq. (15), we know that gcd S(2)T(2−1),22m+1−1 =gcd (2m−1−1)2,22m+1−1 . (17) (cid:16) (cid:17) (cid:16) (cid:17) Next, we will determine the value of gcd 2m−1−1,22m+1−1 in severalsteps. Firstly, it is easy to see that (cid:0) (cid:1) gcd 2m−1−1,22m+1−1 =2gcd(m−1,2m+1)−1. (18) (cid:16) (cid:17) Since m−1 is a prime or a 2-pseudoprime, then we have m−1|2m−2−1, which implies that 2m+1= 4(2m−2−1)+5≡5modm−1. Therefore, we have gcd(2m+1,m−1)=gcd(m−1,5). By Eq. (18), we know that 25−1, if m−1≡0 (mod 5), gcd 2m−1−1,22m+1−1 = (19) ( 1, otherwise. (cid:16) (cid:17) Secondly,wewillprovem−1≡5 (mod 10)if5|m−1,i.e.,m−1isnotevenif5|m−1. Otherwise,if m−1iseven,i.e.,misodd,thenm≡1 (mod 4)orm≡3 (mod 4),whichimpliesthat2m ≡2 (mod 5) ifm≡1 (mod 4)and2m ≡3 (mod 5)ifm≡3 (mod 4). Butsincem−1isaprimeor2-pseudoprime, we have m−1|2m−2 −1. Further, since 5|m−1, then 5|2m−2 −1 and 2m = 4(2m−2 −1)+4 ≡ 4 (mod 5), a contradiction to 2m ≡2 (mod 5) or 2m ≡3 (mod 5). Thus, we obtain that 25−1, if m−1≡5mod10, gcd(2m−1−1,22m+1−1)= ( 1, otherwise. Thirdly, we will prove m−1 ≡ 5 (mod 20) if m−1 ≡ 5 (mod 10), i.e., m−1 6≡ 15 (mod 20) if m−1 ≡ 5 (mod 10). Otherwise, if m−1 ≡ 15 (mod 20), then we have m−1 ≡ 3 (mod 4) or m ≡ 0 (mod 4), which implies 2m ≡ 1 (mod 5), a contradiction to the above 2m = 4(2m−2 −1)+ 4 ≡ 4 (mod 5). Thus we have 25−1, if m−1≡5 (mod 20), gcd(2m−1−1,22m+1−1)= ( 1, otherwise. 10

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.