Exponential Sums over Points of Elliptic Curves

arXiv:1302.4210v3 [math.NT] 22 Aug 2013

Exponential Sums over Points of Elliptic Curves Omran Ahmadi School of Mathematics Institute for Research in Fundamental Sciences P.O. Box: 19395-5746, Tehran, Iran [email protected] Igor E. Shparlinski Department of Pure Mathematics University of New South Wales, Sydney, NSW 2052, Australia [email protected] Abstract We derive a new bound for some bilinear sums over points of an elliptic curve over a finite field. We use this bound to improve a series of previous results on various exponential sums and some arithmetic problems involving points on elliptic curves.

Subject Classification (2010)

1

Primary 11L07, 11T23 Secondary 11G20

Introduction

Let q be a prime power and let E be an elliptic curve defined over a finite field Fq of q elements of characteristic p ≥ 5 given by an affine Weierstraß equation E : Y 2 = X 3 + AX + B 1

with some A, B ∈ Fq , see [2, 5, 34]. We recall that the set of all points on E forms an abelian group, with the “point at infinity” O as the neutral element, and we use ⊕ to denote the group operation. In particular, we sometimes work with group characters associated with this group. As usual, we write every point P 6= O on E as P = (x(P ), y(P )). Let E(Fq ) denote the set of Fq -rational points on E. We recall that the celebrated result of Bombieri [6] implies, in particular, an estimate of order q 1/2 for exponential sums with functions from the function field of E taken over all points of E(Fq ). More recently, various character sums over points of elliptic curves have been considered in a number of papers, see [1, 3, 8, 12, 13, 17, 18, 19, 25, 26, 28, 30, 32] and references therein. These estimates are motivated by various applications to such areas as • pseudorandom number generators from elliptic curves, see the most recent works [4, 8, 20, 21, 22, 23] and also the survey [31]; • randomness extractors from elliptic curves [9, 10]; • analysing an attack on the Digital Signature Algorithm on elliptic curves [24]; • hashing to elliptic curves [14]; • finding generators and the structure of the groups of points on elliptic curves [17, 32]; • constructing some special bases related to quantum computing [33]. We fix a nonprincipal additive character ψ of Fq . All of our estimates are uniform with respect to the additive character ψ. Let G ∈ E(Fq ) be a point of order T , in other words, T is the cardinality of the cyclic group hGi generated by G in E(Fq ). Given two sets A, B ⊆ Z∗T , in the unit group of residue ring ZT modulo T , and arbitrary complex functions α and β supported on A and B with |αa | ≤ 1, a ∈ A,

and

|βb | ≤ 1, b ∈ B,

we consider the bilinear sums of multiplicative type: XX αa βb ψ(x(abG)). Uα,β (ψ, A, B; G) = a∈A b∈B

2

(1)

Furthermore, given two sets P, Q ⊆ E(Fq ) and arbitrary complex functions ρ(P ) and ϑ(Q) supported on P and Q we consider the bilinear sums of additive type: XX Vρ,ϑ (ψ, P, Q) = ρ(P )ϑ(Q)ψ(x(P ⊕ Q)). (2) P ∈P Q∈Q

Bounds of the sums Uα,β (ψ, A, B; G) and Vρ,ϑ (ψ, P, Q) are proved in [1, 3] and [28], respectively, where several applications of these bounds have been shown. Here we improve the bound of [28] and use it with the bound of [1], and also with some additional arguments, to refine a series of previous results. In particular, we give improvements: • of the elliptic curve version of the sum-product theorem of [29]; • of the bound of character sums from [19] with sequences of points of cryptographic significance; • of the bound of character sums from [30] with linear combinations of x(P ) and x(nP ) for P ∈ E(Fq ). Throughout the paper, any implied constants in the symbols O and ≪ may occasionally depend, where obvious, on the integer parameter ν ≥ 1 and real parameter ε > 0, but are absolute otherwise. We recall that the notations A ≪ B and A = O(B) are both equivalent to the statement that the inequality |A| ≤ c B holds with some constant c > 0.

2 2.1

Preparations Single sums

We recall the following special case of the bound of [17, Corollary 1]: Lemma 1. Let E be an ordinary curve defined over Fq and let G ∈ E(Fq ) be a point of order T . Then for any group character χ on E(Fq ). X ψ (x (nG)) χ(G) ≪ q 1/2 . n∈ZT

3

2.2

Bilinear sums of multiplicative type

We recall the bound of [1, Theorem 2.1] on the sums (1): Lemma 2. Let E be an ordinary elliptic curve defined over Fq , and let G ∈ E(Fq ) be a point of order T . Then, for any fixed integer ν ≥ 1, uniformly over all nontrivial additive characters ψ of Fq , we have Uα,β (ψ, A,B; G)

≪(#A)1−1/2ν (#B)1−1/(ν+2) T (ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2) .

2.3

Bilinear sums of additive type

For the sum (2) it is shown in [28] that if max |ρ(P )| ≤ 1 P ∈P

and

max |ϑ(Q)| ≤ 1 Q∈Q

then for any fixed integer ν ≥ 1 we have Vρ,ϑ (ψ, P, Q) ≪ (#P)1−1/2ν (#Q)1/2 q 1/2ν + (#P)1−1/2ν #Qq 1/4ν .

(3)

Here we obtain a different bound which is stronger than (3) in several cases (for example, when #P = #Q). Theorem 3. Let E be an ordinary elliptic curve defined over Fq and let X X |ρ(P )|2 ≤ R and |ϑ(Q)|2 ≤ T. P ∈P

Q∈Q

Then, uniformly over all nontrivial additive characters ψof Fq , p |Vρ,ϑ (ψ, P, Q)| ≪ qRT .

Proof. Let X be the set of group characters on E(Fq ). We collect the points P and Q with a given sum S = P ⊕ Q and identify this condition via the character sum over X . This gives Vρ,ϑ (ψ, P, Q) =

X

S∈E(Fq )

ψ(x(S))

XX

P ∈P Q∈Q

4

ρ(P )ϑ(Q)

X 1 χ(P ⊕ Q ⊖ S). #E(Fq ) χ∈X

Therefore Vρ,ϑ (ψ, P, Q) =

X X 1 ψ(x(S))χ(S) #E(Fq ) χ∈X S∈E(Fq ) X X ρ(P )χ(P ) ϑ(Q)χ(Q). P ∈P

The sums over S is O(q

Q∈Q

1/2

) by Lemma 1, so X q 1/2 X X Vρ,ϑ (ψ, P, Q) ≪ ϑ(Q)χ(Q) . ρ(P )χ(P ) #E(Fq ) Q∈Q

χ∈X P ∈P

We now use the Cauchy inequality, getting !2 X X X ϑ(Q)χ(Q) ρ(P )χ(P ) Q∈Q χ∈X P ∈P 2 2 X X X X ρ(P )χ(P ) ≤ ϑ(Q)χ(Q) ≤

since

χ∈X P ∈P #E(Fq )2 RT,

2 X X ρ(P )χ(P ) =

χ∈X P ∈P

χ∈X Q∈Q

X

ρ(P1 )ρ(P2 )

Similarly,

χ∈X

P1 ,P2 ∈P

= #E(Fq )

X

X

P ∈P

χ(P1 ⊖ P2 )

2

|ρ(P )| ≤ #E(Fq )R

2 X X ϑ(Q)χ(Q) ≤ #E(Fq )T,

χ∈X Q∈Q

and the desired result now follows.

3 3.1

Combinatorial Problems Sum-product problem for elliptic curves

In [29], for any sets R, S ⊆ E it is shown that

#U#V ≫ min{q#R, (#R)2 #Sq −1/2 }, 5

(4)

where U = {x(R) + x(S) : R ∈ R, S ∈ S}, V = {x(R ⊕ S) : R ∈ R, S ∈ S}.

(5)

Clearly (4) implies that at least one of the sets U and V is large. The main ingredient of the proof of (4) in [29] is (3). Using Theorem 3 in the argument of [29] one immediately derives the following improvement on (4): Theorem 4. Let E be an ordinary elliptic curve defined over Fq and let R and S be arbitrary subsets of E(Fq ). Then for the sets U and V, given by (5), we have #U#V ≫ min{q#R, (#R#S)2 q −1 }.

3.2

S´ ark¨ ozy problem for elliptic curves

In [28], the number of solutions M(S, T , U, V) of the equation x(S) + x(T ) = x(U ⊕ V ),

S ∈ S, T ∈ T , U ∈ U, V ∈ V,

for any sets S, T , U, V ⊆ E(Fq ) is estimated. It is shown that if then

#S#T #U#V ≥ q 7/2+ε ,

ε > 0,


#S#T #U#V . (6) q The result above is the elliptic curve analogue of a result of A. S´ark¨ozy [27] regarding the number of solutions N(A, B, C, D) of the equation M(S, T , U, V) = 1 + O(q −ε/2)

a + b = cd,

a ∈ A, b ∈ B, c ∈ C, d ∈ D,

for sets A, B, C, D ⊆ Fq . In [28], the asymptotic formula (6) is proved using (3). Now, using Theorem 3, the following improvement on (6) is immediate. The proof is omitted as it is completely similar to the proof given in [28]. Theorem 5. Let E be an ordinary elliptic curve defined over Fq . Then for every ε > 0 and arbitrary sets S, T , U, V ⊆ E(Fq ) with we have

#S#T #U#V ≥ q 3+ε ,

M(S, T , U, V) = 1 + O(q −ε/2) 6

ε>0


#S#T #U#V · q

3.3

Distribution of subset sums

Let P ∈ E(Fq ) be an Fq -rational point on an elliptic curve E over Fq , and σ be an endomorphism on E. Also, let Mk be the set of k-dimensional vectors with coordinates 0, ±1 which do not have two consecutive nonzero components, that is, µj µj+1 = 0, for all j = 0, . . . , k − 2.

(7)

Motivated by applications to pseudo-random number generation, the set of points k−1 X Pσ,m = µj σ j (P ), m = (µ0 , . . . , µk−1) ∈ Mk , (8) j=0

where σ is an endomorphism of the elliptic curve E have been considered in [19]. In [19], three specific endomorphisms are considered. The first endomorphism considered in [19] is the doubling endomorphism δ(P ) = 2P which is defined for any elliptic curve over any finite field. The second endomorphism considered in [19] is the Frobenius endomorphism of the so called Koblitz curves. A Koblitz curve, Ea , a ∈ F2 , is given by the Weierstraß equation Ea : Y 2 + XY = X 3 + aX 2 + 1, (see [16]) and its Frobenius endomorphism ϕ, which acts on a F2n -rational point P = (x, y) ∈ Ea (F2n ) is given by ϕ(P ) = (x2 , y 2).

Clearly ϕ(P ) ∈ Ea (F2n ). Finally, as in [19], we consider one of the so-called GLV curves introduced by Gallant, Lambert and Vanstone [15], which we detail below. Let the characteristic of Fq be a prime p ≥ 3 such that −7 is a quadratic residue modulo p (that is, p ≡ 1, 2, 4 (mod 7)). Define an elliptic curve EGLV over Fp by 3 EGLV : Y 2 = X 3 − X 2 − 2X − 1. 4 Let ξ ∈ Fp be a square root of −7. If b = (1 + ξ)/2 and c = (b − 3)/4, then the map ψ, defined in the affine plane by   2 x − b y(x2 − 2cx + b) , ψ(P ) = b2 (x − c) b3 (x − c)2 7

for P = (x, y) ∈ EGLV , is an endomorphism of EGLV . In [19], it has been shown that under mild conditions, the points (8) possess some uniformity of distribution properties, where σ is one of the following endomorphisms:   δ, for an arbitrary curve E, ϕ, for a Koblitz curve E = Ea , a = 0, 1 σ= (9)  ψ, for the GLV curve E = EGLV .

Here, using Theorem 3 we improve the result of [19] in some ranges of parameters. First we need the following estimate on #Mk given by Bosma [7, Proposition 4]. Lemma 6. For any k ≥ 2, we have:

4 #Mk = 2k + O(1). 3 For an endomorphism σ of an elliptic curve E over Fq and a nonprincipal additive character ψ of Fq , we define the exponential sum X χ (x(Pσ,m )) , Sσ,k (χ) = m∈Mk

where we always assume that the value of the character is defined as zero if the expression in the argument is not defined (for example, if Pσ,m = O in the above sum). It is shown in [19, Lemma 2.1] that if P ∈ E(Fq ) is of prime order ℓ then for any integer k ≥ 1 the bound   1/4ν −1/2ν −k/2ν (ν+1)/4ν 2 (10) |Sσ,k (χ)| ≪ #Mk q ℓ +2 q

holds with any fixed integer

ν≥

log q , 2k log 2

where σ is one of the endomorphisms (9). Given an endomorphism σ of an elliptic curve E over Fq , and an integer k ≥ 1, we denote by Nσ,k (Q) the number of representations Pσ,m = Q,

m = (m0 , . . . , mk−1) ∈ Mk .

We recall [19, Lemma 2.1]: 8

Lemma 7. Let E be an ordinary elliptic curve defined over Fq and let P ∈ E(Fq ) be of prime order ℓ. Then for any positive integer k and for every point Q ∈ E(Fq ) the bound Nσ,k (Q) ≪ 2k ℓ−1 + 1 holds, where σ is one of the endomorphisms (9). We now obtain a bound that improves (10) for some values of parameters (namely for large k and ℓ). Theorem 8. Let E be an ordinary elliptic curve defined over Fq and let P ∈ E(Fq ) be of prime order ℓ. Then for any integer k ≥ 1 the bound |Sσ,k (χ)| ≪ #Mk q 1/2 ℓ−1 + (#Mk )1/2 q 1/2 holds where σ is one of the endomorphisms (9). Proof. Let us choose r = ⌈k/2⌉. For j = 0, 1 we define Uj to be the subset of u = (u1 , . . . , ur ) ∈ Mr with ur = ±j. To form a vector in Mk , a vector from U0 can be appended by any vector from V0 = Mk−r , while a vector from U1 requires the following digit to be zero. Hence, we put V1 = {(0, w) : w ∈ Mk−r−1 } . We have Sσ,k (χ) = Rσ,0 + Rσ,1 , where Rσ,j =

X X

χ (x (Pσ,u + σ r (Pσ,v ))) ,

j = 0, 1.

u∈Uj v∈Vj

We now consider the sets

Xj = {Pσ,u : u ∈ Uj }

and

Yj = {σ r (Pσ,v ) : v ∈ Vj }.

Using Lemma 7, we see that we can write X X Rσ,j = M(X)N(Y )χ (x (S + T )) ,

j = 0, 1,

X∈Xj Y ∈Yj

with some positive coefficients M(X) and N(Y ) such that M(X) ≪ 2r ℓ−1 + 1

and 9

N(Y ) ≪ 2k−r ℓ−1 + 1.

We also trivially have X M(X) = #Uj X∈Xj

Therefore X
M(X)2 ≤ #Uj 2r ℓ−1 + 1

X

and

N(Y ) = #Vj .

Y ∈Yj

and

X∈Xj

X

Y ∈Yj


N(Y )2 = #Vj 2k−r ℓ−1 + 1 .

Therefore, by Theorem 3, we derive q Rσ,0 ≪ q(2r ℓ−1 + 1)(2k−r ℓ−1 + 1)#Uj #Vj ,

j = 0, 1.

Clearly #Uj #Vj ≤ #Mk ≪ 2k . Furthermore, by the choice of r (2r ℓ−1 + 1)(2k−r ℓ−1 + 1) ≪ (2k/2 ℓ−1 + 1)2 ≪ 2k ℓ−2 + 1. And thus |Rσ,j | ≪ q 1/2 2k ℓ−1 + q 1/2 2k/2 ,

j = 0, 1,

which concludes the proof. Clearly, if for some fixed ε > 0 we have ℓ > q 1/2+ε and 2k ≥ q 1+ε , then the bound of Theorem 8 is nontrivial. As in [19, Section 4], we can now use this bound in various questions about the distribution of x(Pσ,m ) for m ∈ Mk .

4 4.1

Sums Over Consecutive Intervals Stationary phase sums

For an integer n and a, b ∈ Fq , we now consider the sums X Sn (ψ; a, b) = ψ (ax(P ) + bx(nP )) . P ∈E(Fq )

As it has been mentioned in [30], it follows from a much more general result of [18, Corollary 5] that if at least one of a and b is a non-zero element of Fq and n > 0, then Sn (ψ; a, b) = O(n2 q 1/2 ). (11) 10

Furthermore, in [30], the following two bounds are given: Sn (ψ; a, b) ≪ q 3/2 /d,

(12)

Sn (ψ; a, b) ≪ qd−1/2 + q 3/4 ,

(13)

and where d = gcd (n, #E(Fq )). The above bounds improve on (11) when d is not very small. The bound (12) is nontrivial whenever d/q 1/2 → ∞ as q → ∞. The bound (13) is nontrivial for d → ∞ as q → ∞, however it is weaker than the first bound for d > q 3/4 . In [30], the bound (3) is used to obtain (13). Here we use Theorem 3, to improve on the bounds (12) and (13). Although the proof of the new bound is quite similar to the proof given in [30], here, for the sake of completeness, instead of referring for details to [30] we give a complete proof of this bound. Theorem 9. Let E be an ordinary elliptic curve defined over Fq and let n > 0 be an arbitrary integer. Then for any a ∈ F∗q and b ∈ Fq , we have Sn (ψ; a, b) ≪ qd−1/2 , where d = gcd (n, #E(Fq )). Proof. Let Hd ⊆ E(Fq ) be the subgroup of E(Fq ) consisting of the d-torsion points Q ∈ E(Fq ), that is, of points Q with dQ = O. It is well-known, see [2, 5, 34], that the group E(Fq ) is isomorphic to E(Fq ) ∼ = ZM × ZL

(14)

for some unique integers M and L with L | M,

LM = E(Fq ),

L | q − 1.

(15)

Since d | #E(Fq ) we see from (14) and (15) that we can write d = d1 d2 where d1 = gcd(d, M) and d2 | d1 . It is now easy to see that #Hd ≥ d,

(16)

(clearly Hd is a subgroup of the group E[d] of d-torsion points on E, thus we also have #Hd ≤ d2 , see [2, 5, 34]). 11

For any point Q ∈ E(Fq ) we have X Sn (ψ; a, b) = ψ (ax(P ⊕ Q) + bx(n(P ⊕ Q))) . P ∈E(Fq )

Therefore, we obtain Sn (ψ; a, b) =

1 X #Hd Q∈H

d

1 X = #Hd Q∈H

d

X 1 = #Hd

X

ψ (ax(P ⊕ Q) + bx(n(P ⊕ Q)))

X

ψ (ax(P ⊕ Q) + bx(nP ))

P ∈E(Fq )

P ∈E(Fq )

X

P ∈E(Fq ) Q∈Hd

ψ (bx(nP )) ψ (ax(P ⊕ Q)) .

Now applying Theorem 3 with P = E(Fq ) and Q = Hd , we have |Sn (ψ; a, b)| ≪ which concludes the proof.


1/2 q 1 q 2 #Hd ≪ 1/2 , #Hd d

Note that for d ≤ q, Theorem 9 is an improvement on (12) and (13). If √ d > q, then from the fact that #E(Fq ) ≤ q + 1 + 2 q, see [34, Chapter 5, Theorem 1.1], it follows that d = #E(Fq ) and hence in this case from (12) and Theorem 9 we have X X √ Sn (ψ; a, b) = ψ (ax(P ) + bx(nP )) = ψ (ax(P )) ≪ q. P ∈E(Fq )

4.2

P ∈E(Fq )

Sums with the elliptic curve power generator

We now improve the results of [3, 12] on the distribution of the power generator on elliptic curves. Namely, given a point G ∈ E(Fq ) of order t, we fix an integer e with gcd(e, t) = 1, put W0 = G and consider the sequence Wn = eWn−1 ,

n = 1, 2, . . . .

(17)

In a more explicit form we have Wn = en G. Clearly, the sequence Wn is periodic with period T which is the multiplicative order of e modulo t. 12

For a point G ∈ E(Fq ), a nonprincipal additive character ψ of Fq and an integer N, we consider character sums S(G, ψ, N)) =

N −1 X

ψ (x(Wn ))

n=0

with the sequence (17). For N = T the sum S(G, ψ, T ) is estimated in [18], where it is shown that for any fixed positive integer ν, we have S(G, ψ, T ) ≪ T 1−(3ν+2)/2ν(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) . In [12], using two different approaches the above result is extended to incomplete sums S(G, ψ, N) with N ≤ T . One of the approaches has led to S(G, ψ, N) ≪ N 1−(3ν+2)/2ν(ν+3) t(ν+1)/ν(ν+3) q 1/4(ν+3) ,

(18)

while the other one has yielded S(G, ψ, N) ≪ T 1−(3ν+2)/2ν(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) log q.

(19)

Notice that the bound (18) is stronger than (19) for short sums but for almost complete sums, the bound (19) is stronger. Here using Lemma 2 and an inductive argument, we give a bound that improves both (18) and (19). Theorem 10. Let E be an ordinary elliptic curve defined over Fq and let N ≤ T . Suppose that for some fixed ε > 0 we have t ≥ q 1/2+ε . Then for any fixed integer ν ≥ 1 there exists C(ν, ε) ≥ 1 depending only on ν and ε such that S(G, ψ, N) ≤ C(ν, ε)N 1−(3ν+2)/2ν(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2) . Proof. Our proof is based on an induction. Notice that if N ≤ q 1/2 , then since t ≥ q 1/2+ε we have N 1−(3ν+2)/2ν(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2) ≥ N, and thus the claim holds trivially.

13

Now suppose that the claim is true for all k < N, and hence there exists C(ν, ε), which is to be determined later, depending only on ν and ε, so that for all k < N, we have S(G, ψ, k) ≤ C(ν, ε)k 1−(3ν+2)/2ν(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2) . Let M = {0, . . . , M − 1} where M < N. For every m ∈ M, we have S(G, ψ, N) =

N −1 X n=0

N


ψ x(en+m G) + S(G, ψ, m) − S(H, ψ, m),

where H = e G, and hence M −1 X

S(G, ψ, N) =

M −1 N −1 X X

n+m

ψ x(e




G) +

m=0 n=0

m=0

M −1 X m=0

S(G, ψ, m) −

M −1 X

S(H, ψ, m).

m=0

Notice that our bounds hold for any point of order t, and thus using the fact that gcd(e, t) = 1 we can apply the induction hypothesis to the point H too. Hence by the induction hypothesis we have M|S(G0 , ψ, N)| ≤ W + 2MC(ν, ε)M 1−(3ν+2)/2ν(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2) , where

−1 N −1 M X X
ψ x(en+m G) . W = m=0 n=0

Applying Lemma 2, we get

W ≤ D(ν, ε)(M)1−1/2ν (N)1−1/(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2) for some D(ν, ε) depending only on ν and ε. From the two inequalities above, we have |S(G0 , ψ, N)|

≤ D(ν, ε)M −1/2ν N 1−1/(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2)

+ 2C(ν, ε)M 1−(3ν+2)/2ν(ν+2) t(ν+1)/ν(ν+2) q 1/4(ν+2) (log q)1/(ν+2) .

We see that it suffices to take M = ⌈N/2⌉ and C(ν, ε) = to conclude the proof.

21/2ν

1 − 2(3ν+2)/2ν(ν+2) 14

D(ν, ε)

Notice that when t = q 1+o(1) which is the most interesting case, taking ν to be a very large number shows that the bound in Theorem 10 is stronger than the bound (18) whenever N ≥ q 5/6+ε for some fixed ε > 0.

5

Comments

Dvir [11] has considered the problem of constructing randomness extractors for algebraic varieties. In general terms the problem can be described as follows. Given an algebraic variety V over Fq and one or several sources of random but not necessarily uniformly generated points on V, design an algorithm to generate long strings of random bits with a distribution that is close to uniform. The construction of [11] requires only one but rather uniform source of points on V. In the case when V = E, the result of Theorem 3 has a natural interpretation as a two-source extractor from two biased sources of points P and Q, respectively. Say, if q = p, then one can use most significant bits of x(P ⊕ Q) (in some standard representation of the residues modulo p). The exact number of output bits depends on the bias of the sources of points P and Q. We also remark that many of our results have direct analogues for sums with multiplicative characters.

6

Acknowledgements

During the preparation of this paper, O.A. was supported in part by a grant from IPM Grant 91050418 (Iran) and I. S. by ARC Grant DP130100237 (Australia) and by NRF Grant CRP2-2007-03 (Singapore). A portion of this work was done when the authors were visiting the University of Waterloo; the support and hospitality of this institution are gratefully acknowledged.

References [1] O. Ahmadi and I. E. Shparlinski, ‘Bilinear character sums and the sum-product problem on elliptic curves’, Proc. Edinb. Math. Soc., 53 (2010), 1–12.

15

[2] R. Avanzi, H. Cohen, C. Doche, G. Frey, T. Lange, K. Nguyen and F. Vercauteren, Elliptic and hyperelliptic curve cryptography: Theory and practice, CRC Press, 2005. [3] W. D. Banks, J. B. Friedlander, M. Z. Garaev and I. E. Shparlinski, ‘Double character sums over elliptic curves and finite fields’, Pure and Appl. Math. Quart., 2 (2006), 179–197. [4] S. Blackburn, A. Ostafe and I. E. Shparlinski, ‘On the distribution of the subset sum pseudorandom number generator on elliptic curves’, Unif. Distrib. Theory, 6 (2011), 127–142. [5] I. Blake, G. Seroussi and N. Smart, Elliptic curves in cryptography, London Math. Soc., Lecture Note Series, 265, Cambridge Univ. Press, 1999. [6] E. Bombieri, ‘On exponential sums in finite fields’, Amer. J. Math., 88 (1966), 71–105. [7] W. Bosma, ‘Signed bits and fast exponentiation’, J. Th´eorie des Nombres Bordeaux , 13 (2001), 27–41. [8] Z. Chen, ‘Elliptic curve analogue of Legendre sequences’, Monatsh Math., 154 (2008), 1–10. [9] C. Chevalier, P.-A. Fouque, D. Pointcheval and S. Zimmer, ‘Optimal randomness extraction from a Diffie-Hellman element’, Proc Eurocrypt 2009, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 5479 (2009), 572–589. [10] A. A. Ciss and D. Sow, ‘Randomness extraction in elliptic curves and secret key derivation at the end of DiffieHellman protocol’, Intern. J. Appl. Cryptography, 2 (2012), 360–365. [11] Z. Dvir, ‘Extractors for varieties’, Comput. Complex., 21 (2012), 515– 572. [12] E. El Mahassni and I. E. Shparlinski, ‘On the distribution of the elliptic curve power generator’, Proc. 8th Conf. on Finite Fields and Appl., Contemporary Math., 461, Amer. Math. Soc., 2008, 111–119.

16

[13] R. R. Farashahi and I. E. Shparlinski, ‘Pseudorandom bits from points on elliptic curves’, IEEE Trans. Inform. Theory, 58 (2012), 1242– 1247. [14] R. R. Farashahi, P.-A. Fouque, I. E. Shparlinski, M. Tibouchi and J. F. Voloch, ‘Indifferentiable deterministic hashing to elliptic and hyperelliptic curves’, Math. Comp., 82 (2013), 491–512. [15] R. P. Gallant, R. J. Lambert and S. A. Vanstone, ‘Faster point multiplication on elliptic curves with efficient endomorphisms’, Proc Crypto 2001, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 2139 (2001), 190–200. [16] N. Koblitz, ‘CM curves with good cryptographic properties’, Proc. Crypto 1991, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 576 (1992), 279–287. [17] D. R. Kohel and I. E. Shparlinski, ‘Exponential sums and group generators for elliptic curves over finite fields’, Proc. the 4th Algorithmic Number Theory Symp., Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1838 (2000), 395–404. [18] T. Lange and I. E. Shparlinski, ‘Certain exponential sums and random walks on elliptic curves’, Canad. J. Math., 57 (2005), 338–350. [19] T. Lange and I. E. Shparlinski, ‘Distribution of some sequences of points on elliptic curves’, J. Math. Cryptology, 1 (2007), 1–11. [20] H. Liu, ‘A family of elliptic curve pseudorandom binary sequences’, Designs, Codes and Cryptography, (to appear). [21] L. M´erai, ‘Construction of pseudorandom binary lattices using elliptic curves’, Proc. Amer. Math. Soc., 139 (2011), 407–420. [22] L. M´erai, ‘Construction of pseudorandom binary sequences over elliptic curves using multiplicative characters’, Publ. Math. Debrecen., 80 (2012), 199–213. [23] L. M´erai, ‘Remarks on pseudorandom binary sequences over elliptic curves’, Fund. Inform., 114 (2012), 301–308.

17

[24] P. Q. Nguyen and I. E. Shparlinski, ‘The insecurity of the elliptic curve Digital Signature Algorithm with partially known nonces’, Designs, Codes and Cryptography, 30 (2003), 201–217. [25] A. Ostafe and I. E. Shparlinski, ‘Twisted exponential sums over points of elliptic curves’, Acta Arith., 148 (2011), 77–92. [26] A. Ostafe and I. E. Shparlinski, ‘Exponential sums over points of elliptic curves with reciprocals of primes’, Mathematika, 58 (2012), 21–33. [27] A. S´ark¨ozy, ‘On sums and products of residues modulo p’, Acta Arith., 118 (2005), 403–409. [28] I. E. Shparlinski, ‘Bilinear character sums over elliptic curves’, Finite Fields and Their Appl., 14 (2008), 132–141. [29] I. E. Shparlinski, ‘On the elliptic curve analogue of the sum-product problem’, Finite Fields and Their Appl., 14 (2008), 721–726. [30] I. E. Shparlinski, ‘Some special character sums over elliptic curves’, Bol. Soc. Matem. Mexicana, 15 (2009), 37–40. [31] I. E. Shparlinski, ‘Pseudorandom number generators from elliptic curves’, Recent Trends in Cryptography., Contemp. Math, vol. 477, Amer. Math. Soc., (2009), 121–141. [32] I. E. Shparlinski and J. F. Voloch, ‘Generators of elliptic curves over finite fields’, Preprint, 2011. [33] I. E. Shparlinski and A. Winterhof, ‘Constructions of approximately mutually unbiased bases. Proc. the 7th Latin American Theoretical Informatics Conf., Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 3887 (2006), 793–799. [34] J. H. Silverman, The arithmetic of elliptic curves, Springer-Verlag, Berlin, 2009.

18