On the Lattice Structure of Pseudorandom Numbers ... - Springer Link

AAECC 12, 265–272 (2001)

On the Lattice Structure of Pseudorandom Numbers Generated over Arbitrary Finite Fields Harald Niederreiter1 , Arne Winterhof2 1

Department of Mathematics, National University of Singapore, 2 Science Drive 2, Singapore 117543, Republic of Singapore (e-mail: [email protected]) 2 Institute of Discrete Mathematics, Austrian Academy of Sciences, Sonnenfelsgasse 19, 1010 Vienna, Austria (e-mail: [email protected]) Received: December 13, 1999; revised version: November 17, 2000

Abstract. Marsaglia’s lattice test for congruential pseudorandom number generators modulo a prime is extended to a test for generators over arbitrary finite fields. A congruential generator η0 , η1 , . . . , generated by ηn = g(n), n = 0, 1, . . . , passes Marsaglia’s s-dimensional lattice test if and only if s ≤ deg(g). It is investigated how far this condition holds true for polynomials over arbitrary finite fields Fq , particularly for polynomials of the form gd (x) = α(x +β)d +γ , α, β, γ ∈ Fq , α = 0, 1 ≤ d ≤ q − 1. Keywords: Pseudorandom number generator, Nonlinear method, Marsaglia’s lattice test.

1 Introduction This paper is a contribution to the theory of nonlinear methods for pseudorandom number generation. These methods provide an attractive alternative to linear methods – such as the classical linear congruential method – and have been extensively investigated in the literature (see the surveys in [4], [11, Chapter 8], [12]). Initially, nonlinear methods were defined over finite prime fields, and in this case they belong to the family of nonlinear congruential methods (compare with [11, Chapter 8]). More recently, nonlinear methods over arbitrary finite fields were introduced (see e.g. [5], [13]), and the present paper deals with this general framework. Let Fq be the finite field of order q, where q is an arbitrary prime power. Consider a periodic sequence η0 , η1 , . . . of elements of Fq with period q. Then the map ξn → ηn for n = 0, 1, . . . , where {ξ0 , ξ1 , . . . , ξq−1 } is any ordering

266

H. Niederreiter, A. Winterhof

of the elements of Fq with ξ0 = 0 and ξn+q = ξn for n = 0, 1, . . ., can be represented by a uniquely determined polynomial g ∈ Fq [x] with deg(g) < q, i.e., ηn = g(ξn )

for n = 0, 1, . . . .

(1)

(The sequence η0 , η1 , . . . generated by (1) runs through all elements of Fq if and only if g is a permutation polynomial of Fq .) For given s ≥ 1 we say that a pseudorandom number generator η0 , η1 , . . . over Fq passes the s-dimensional lattice test if the vectors yn −y0 , n = 0, 1, . . . , span Fqs , where yn = (ηn , ηn⊕1 , . . . , ηn⊕(s−1) ) ∈ Fqs

for n = 0, 1, . . .

and ⊕ is defined by n ⊕ j ≡ i mod q ⇐⇒ ξn + ξj = ξi , n, j = 0, 1, . . . , 0 ≤ i < q. For congruential generators modulo a prime p and ξi ≡ i mod p for i = 0, 1, . . . this lattice test was proposed by Marsaglia [7]. (See also [11, Definition 8.1].) It was shown by Eichenauer, Grothe, and Lehn [2] that a congruential generator modulo p passes the s-dimensional lattice test if and only if s ≤ deg(g). (For a short proof see Niederreiter [11, Theorem 8.2].) The situation is different for generators over arbitrary finite fields. In this paper we first establish a criterion for a generator over Fq to pass the s-dimensional lattice test (see Lemma 1). From this criterion we derive necessary conditions (see Section 2) and a sufficient condition (see Section 3) for passing the s-dimensional lattice test. 2 Necessary Conditions For j = 0, . . . , q − 1 and g ∈ Fq [x] let ϕj (g)(x) = g(x + ξj ) − g(ξj ) ∈ Fq [x]. Lemma 1 The generator (1) over Fq passes the s-dimensional lattice test if and only if the polynomials ϕ0 (g), ϕ1 (g), . . . , ϕs−1 (g) are linearly independent over Fq . Proof. Put uj = (η1⊕j − ηj , η2⊕j − ηj , . . . , η(q−1)⊕j − ηj )

for j = 0, 1, . . .

and let Us be the s × (q − 1) matrix with rows u0 , u1 , . . . , us−1 . The sequence η0 , η1 , . . . generated by (1) passes the s-dimensional lattice test if and only if

Lattice Structure of Pseudorandom Numbers

267

rank(Us ) = s. Now the vector uj can be identified with the polynomial ϕj (g), in the sense that uj = (ϕj (g)(ξ1 ), ϕj (g)(ξ2 ), . . . , ϕj (g)(ξq−1 )),

and this yields the assertion.

Since the ϕj (g), j = 0, 1, . . ., are polynomials of the same degree as g and with constant term 0, it follows from Lemma 1 that the generator (1) passes the s-dimensional lattice test only if s ≤ deg(g). In the rest of this section we establish more refined necessary conditions. First we consider the special polynomials gd given by gd (x) = α(x + β)d + γ , α, β, γ ∈ Fq , α = 0, d = 1, 2, . . . , q − 1.

(2)

(Obviously, the sequence η0 , η1 , . . . generated by (1) and (2) runs through all elements of Fq if and only if gcd(d, q − 1) = 1.) Let q = pk and let d = d0 + d1 p + · · · + dk−1 pk−1

with 0 ≤ dl < p for 0 ≤ l ≤ k − 1 (3)

be the p-adic expansion of d. Lemma 2 Let the polynomial gd be as in (2). If s ≥ 1 is an integer such that ϕ0 (gd ), ϕ1 (gd ), . . . , ϕs−1 (gd ) are linearly independent over Fq with q = p k , then we must have s≤

k−1

(dl + 1) − 1,

l=0

where the dl are as in (3). Proof. Let pd (x) = x d ∈ Fq [x], d = 1, 2, . . . , q − 1, and let Ud be the Fq -linear span of the set of polynomials d pi 1 ≤ i ≤ d and ≡ 0 mod p . i Then for j = 0, . . . , q − 1,

d d−i d ϕj (gd ) = α pi ∈ Ud . (ξj + β) i i=1

Therefore s does not exceed the dimension of Ud, which equals the number Np (d) of modulo p nonzero binomial coefficients di with 1 ≤ i ≤ d.

268


For 1 ≤ i ≤ d < q = pk let i = i0 + i1 p + · · · + ik−1 pk−1 , d = d0 + d1 p + · · · + dk−1 p k−1 ; 0 ≤ il , dl < p. Lucas’ congruence (see [1, p. 271, item 76], [6], [8], or [14]) asserts that d d0 dk−1 ≡ ··· mod p, i i0 ik−1 and thus

d ≡ 0 mod p ⇐⇒ il ≤ dl for all 0 ≤ l ≤ k − 1. i

(4)

Therefore Np (d) =

k−1

(dl + 1) − 1.

l=0

Corollary 1 A sequence η0 , η1 , . . . in Fq with q = p k generated by (1) and (2) passes the s-dimensional lattice test only if k−1 (dl + 1) − 1, s≤ l=0

where the dl are as in (3). Proof. The assertion follows from Lemma 1 and Lemma 2.

The following example shows that Corollary 1 is not best possible in general. Suppose p ≥ 3, k ≥ 2, let d = p + 1 and β = 0 and choose ξi = i ∈ Fp for i = 0, 1, 2. Then ϕ0 (gd ) − 2ϕ1 (gd ) + ϕ2 (gd ) = 0. By Lemma 1 the sequence generated with gd does not pass the 3-dimensional lattice test. For arbitrary generators in (1) we proceed as follows. For h ∈ Fq [x] with deg(h) ≥ 1 let e1 , . . . , eb be the positive exponents which occur with nonzero coefficients in h. Define D(h) = {1 ≤ i ≤ deg(h)|∃a with 1 ≤ a ≤ b and ea ≥ i ea such that ≡ 0 mod p}. i Theorem 1 Let g ∈ Fq [x] with 1 ≤ deg(g) < q. Then the generator (1) over Fq passes the s-dimensional lattice test only if s ≤ min |D(g(x + ξ ))|. ξ ∈Fq


269

Proof. For ξ ∈ Fq we consider the polynomial h(x) = g(x + ξ ). If e1 , . . . , eb are the positive exponents which occur with nonzero coefficients in h and if we put e0 = 0, then we can write h(x) =

b

δa x ea

with all δa ∈ Fq .

a=0

Then for j = 0, . . . , q − 1, ϕj (g)(x) = h(x + ξj − ξ ) − h(ξj − ξ ) ea b b ea ea −i i = (ξj − ξ ) x − δa δa (ξj − ξ )ea i a=0 i=0 a=0 deg(h) b ea δa (ξj − ξ )ea −i = xi i i=1 a=1,ea ≥i b ea i δa (ξj − ξ )ea −i , = x i a=1,e ≥i i∈D(h) a

and so all ϕj (g) are contained in the Fq -linear span of the polynomials x i with i ∈ D(h). Thus, if the generator (1) passes the s-dimensional lattice test, then Lemma 1 implies that s ≤ |D(h)| = |D(g(x + ξ ))|. The desired result follows immediately since ξ ∈ Fq was arbitrary.

3 A Partial Converse In this section we establish a partial converse of Corollary 1. We consider again the polynomials gd defined in (2). Theorem 2 Let q = pk , let d be as in (3), and suppose that for some integers m ≥ 0 and 0 ≤ r < k we have dm = dm+1 = · · · = dm+r−1 = p − 1,

(5)

where the indices m, m + 1, . . . , m + r − 1 are considered modulo k. Then a sequence η0 , η1 , . . . in Fq generated by (1) and (2) passes the s-dimensional lattice test for all s ≤ pr (dm+r + 1) − 1, where the index m + r is again considered modulo k.

270


Proof. Put v = p r (dm+r + 1) − 1 and note that p m v ≤ d. We can assume that v ≥ 1. Since passing the s-dimensional lattice test implies passing any lower-dimensional lattice test, it suffices to show that the sequence η0 , η1 , . . . generated by (1) and (2) passes the v-dimensional lattice test. By Lemma 1 this amounts to proving that the polynomials ϕj (gd ), j = 0, 1, . . . , v − 1, are linearly independent over Fq . For this purpose we assume that d−1 v−1 v−1 i d pd−i δj ϕj (gd ) = δj α(ξj + β) 0= i j =0 j =0 i=0 with all δj ∈ Fq and with the polynomials pi as in the proof of Lemma 2. Then we get v−1 d i δj (ξj + β) = 0 whenever ≡ 0 mod p and 0 ≤ i ≤ d − 1, i j =0 since α = 0 and by the linear independence of the pi . For 0 ≤ u ≤ v − 1 let u = u0+u1 p+· · ·+ uk−1 pk−1 with 0 ≤ ul < p for 0 ≤ l < r and 0 ≤ ur ≤ dm+r be the p-adic expansion of u and w(u) = uk−m +uk−m+1 p+· · ·+uk−1 pm−1 +u0 pm +u1 pm+1 +· · ·+uk−m−1 p k−1 . d m Then we have ξ p u = ξ w(u) for all ξ ∈ Fq and w(u) ≡ 0 mod p by (4) and (5), and noting also that 0 ≤ w(u) ≤ p m u < pm v ≤ d, we obtain v−1

δj (ξj + β)p

m

u

=0

for 0 ≤ u ≤ v − 1.

j =0 m

The elements (ξj + β)p , j = 0, 1, . . . , v − 1, are distinct and the matrix m (ξj + β)p u , 0 ≤ u, j ≤ v − 1, is thus an invertible Vandermonde matrix. Therefore, δ0 = δ1 = · · · = δv−1 = 0, and so the ϕj (gd ), j = 0, 1, . . . , v − 1, are indeed linearly independent over Fq . 4 Final Remarks 1. In practice we need a special ordering {ξ0 , . . . , ξq−1 } of the elements of Fq for generating a sequence η0 , η1 , . . . defined by (1). Let {β1 , . . . , βk } be an ordered basis of Fq over Fp . Then we define ξn , n = 0, 1, . . . , q − 1, by ξn = n1 β1 + n2 β2 + · · · + nk βk if n = n1 + n2 p + · · · + nk pk−1 , 0 ≤ ni < p, i = 1, 2, . . . , k.

(6)


271

2. If ηn = cn(1) β1 + cn(2) β2 + · · · + cn(k) βk

with all cn(i) ∈ Fp ,

then we can derive digital explicit nonlinear pseudorandom numbers in the interval [0, 1) by putting yn =

k

cn(j ) p−j .

j =1

In the special case k = 1 and β1 = 1 we get the (explicit) nonlinear congruential pseudorandom numbers which have been analyzed in [2, 3, 9, 10]. For a welldesigned digital pseudorandom number generator one expects only the trivial lattice structure, i.e., the lattice structure implied by the property that all yn are rational numbers with fixed denominator pk . 3. With the ordering (6) the distribution of sequences of (explicit) nonlinear congruential pseudorandom numbers in parts of the period can be investigated by studying certain incomplete exponential sums over Fq which in the simplest case are of the form N−1

χ(γn ) for 1 ≤ N ≤ q,

n=0

where χ denotes the canonical additive character of Fq . (For bounds on these sums see [15].) 4. By Corollary 1 and Theorem 2 a sequence generated by (1) and (2) passes the d-dimensional lattice test if and only if d = (p − 1) + (p − 1)p + · · · + (p − 1)p t−1 + lp t = (l + 1)pt − 1 for some t = 0, 1, . . . , k − 1 and some l = 1, 2, . . . , p − 1. 5. Let η = η−1 if η ∈ Fq∗ and 0 = 0. For given α ∈ Fq∗ , β ∈ Fq with q ≥ 3, the explicit inversive generator is defined by ηn = αξn + β = α −1 (ξn + α −1 β)q−2

for n = 0, 1, . . . .

Recently, it has been demonstrated in [13] that pseudorandom numbers derived from the explicit inversive generator have desirable statistical independence properties. These pseudorandom numbers show a good behavior under the lattice test as well. The sequence η0 , η1 , . . . passes the s-dimensional lattice test if and only if s ≤ q − pq − 1 by Corollary 1 and Theorem 2.

272


References 1. Dickson, L. E.: History of the Theory of Numbers, Vol. 1. New York: Chelsea Publ. 1952 2. Eichenauer, J., Grothe, H., Lehn, J.: Marsaglia’s lattice test and non-linear congruential pseudo random number generators. Metrika 35 (3/4), 241–250 (1988) 3. Eichenauer-Herrmann, J.: Equidistribution properties of nonlinear congruential pseudorandom numbers. Metrika 40 (6), 333–338 (1993) 4. Eichenauer-Herrmann, J., Herrmann, E., Wegenkittl, S.: A survey of quadratic and inversive congruential pseudorandom numbers. In: Niederreiter, H., et al. (eds.) Monte Carlo and Quasi-Monte Carlo Methods 1996. Lecture Notes in Statistics 127, pp. 66–97. New York: Springer 1998 5. Eichenauer-Herrmann, J., Niederreiter, H.: Digital inversive pseudorandom numbers. ACM Trans. Modeling and Computer Simulation 4 (4), 339–349 (1994) 6. Granville, A.: Arithmetic properties of binomial coefficients. I: Binomial coefficients modulo prime powers. In: Borwein, J. (ed.) et al. Organic mathematics. CMS Conf. Proc. 20, pp. 253–276. Providence, RI: American Mathematical Society 1997 7. Marsaglia, G.: The structure of linear congruential sequences. In: Zaremba, S. K. (ed.): Applications of Number Theory to Numerical Analysis, pp. 249–285. New York: Academic Press 1972 8. McIntosh, R. J.: A generalization of a congruential property of Lucas. Amer. Math. Monthly 99 (3), 231–238 (1992) 9. Niederreiter, H.: Remarks on nonlinear congruential pseudorandom numbers. Metrika 35 (6), 321–328 (1988) 10. Niederreiter, H.: Statistical independence of nonlinear congruential pseudorandom numbers. Monatsh. Math. 106 (2), 149–159 (1988) 11. Niederreiter, H.: Random Number Generation and Quasi-Monte Carlo Methods. Philadelphia: SIAM 1992 12. Niederreiter, H.: New developments in uniform pseudorandom number and vector generation. In: Niederreiter, H., Shiue, P. J.-S. (eds.) Monte Carlo and Quasi-Monte Carlo Methods in Scientific Computing. Lecture Notes in Statistics 106, pp. 87–120. New York: Springer 1995 13. Niederreiter, H., Winterhof, A.: Incomplete exponential sums over finite fields and their applications to new inversive pseudorandom number generators. Acta Arith. 93 (4), 387– 399 (2000) 14. Singmaster, D.: Notes on binomial coefficients I – A generalization of Lucas’ congruence. J. London Math. Soc. (2) 8, 545–548 (1974) 15. Winterhof, A.: Incomplete additive character sums and applications. In: Jungnickel, D. et al. (eds.) Finite Fields and Applications, Proc. 5th International Conference, Augsburg, 1999, to appear