Abstract
We give upper bounds on the power moments of the number of fixed points of a family of subset sum pseudorandom number generators, introduced by Rueppel (Analysis and design of stream ciphers, Springer-Verlag, Berlin, 1986).
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
For a positive integer t, we use \({{\mathbb {Z}}}_t\) to denote the residue ring modulo t, which we always assume to be represented by the set \(\{0, \ldots , t-1\}\).
We fix an r-dimensional integer vector
and define the function \(S_{r,t,\textbf{z}}:~{{\mathbb {Z}}}_t \rightarrow {{\mathbb {Z}}}_t\) as follows. Given \(w \in {{\mathbb {Z}}}_t\) (which following our convention we interpret as an integer from the set \(\{0, \ldots , t-1\}\)) we expand w in binary \(w = \overline{u_{s}\dots u_{1}}\), where \(u_{i}\) represents the i-th least significant bit of w, that is, the i-th bit from the right (if \(r > s\) we pad w with \(r-s\) leading zeroes) and then set
Furthermore, for a fixed vector \(\textbf{z}\) and a given initial value \(w_0\in {{\mathbb {Z}}}_t\) we define the sequence
This construction has been introduced by Rueppel [23, Chapter 7] (see also [24, 25]), is known as the subset sum pseudorandom number generator. The efficiency of the generator and its cryptographic properties have been studied by Impagliazzo and Naor [18]. This generator is believed to be cryptographically secure since it relies on a combinatorial rather than an algebraic structure, which prevents mounting attacks similar to those designed in [2,3,4, 12,13,14,15, 19, 21], see also the references therein.
We note that one of the parameters characterising the pseudorandom properties of any map is the number of its fixed points since it reflects the mixing properties of this map. For example, the statistics of fixed points has been investigated for such classical cryptographic maps as the RSA encryption function [5] and the discrete logarithm [6, 7, 16, 17]. Several other examples of such results can be found in [1, 8, 9, 11, 20, 22]. A survey of such results, and of related results on short cycles in these maps, can be found in [27].
Here we consider this question for the map \(w \mapsto S_{r,t,\textbf{z}}(w)\). That is, we define and study
More precisely, we are interested in the power moments of this quantity over all \(t^r\) possible choices of the vectors (1.1):
In particular for the first moment, that is, for the average values of \(F_{r,t}(\textbf{z})\) we simplify the notation as
We recall that it has been shown in [26, Theorem 31.2] that for \(t \geqslant 2^r\) the bound
holds.
Here we improve this bound and also obtain a new bound for higher moments.
We note that the subset sum pseudorandom number generator is very fast as no modular multiplication is needed and no weaknesses has been discovered so far. However so far very few theoretical results have been known. Thus besides giving some concrete theoretic results, we also hope to attract more attention to this generator.
2 Evaluation of the average value of the number of fixed points
We start with a significant improvement of (1.2) and in fact we evaluate A(r, t) explicitly.
Theorem 2.1
For \(t \geqslant 2^r\), we have
Proof
Let
be the length of the binary expansion of t. Hence we write binary representations of \(w \in {{\mathbb {Z}}}_t\) as binary strings of length exactly m (possible with some zeros on the left, that is, on the most significant positions).
Note that by our assumption \(t \geqslant 2^r\) we have \(m \geqslant r\). \(m > r\).
Changing the order of summation we write
For
whose binary expansion end with a string of r zeros, we obviously obtain \(S_{r,t,\textbf{z}}(w)=0\). This leaves only one possible value for \(w \in {{\mathbb {Z}}}_t\) with \(S_{r,t,\textbf{z}}(w) = w\), namely, \(w = 0\), in which case the inner sum is equal to \(t^r\).
The condition (2.2) on w means that \(2^r \mid w\) and thus this happens for elements \(w \in {{\mathbb {Z}}}_t\).
For the remaining choices of \(w = \overline{u_{m} \ldots u_{1}}\) with
there is at least one non-zero entry among the first r least significant bits in its binary representation, whose index we define as i. Then the component \(z_{i}\) of \(\textbf{z}\) as in (1.1) is uniquely defined from the equation
by the other components of \(\textbf{z}\), hence there exactly \(t^{r-1}\) such choices for \(\textbf{z}\).
Therefore,
which concludes the proof. \(\square \)
In particular, we see from Theorem 2.1 that we can improve (1.2) as
3 Bounding higher moments of the number of fixed points
We recall that the notation \(U = O(V)\), \(U \ll V\) and \( V\gg U\) are equivalent to \(|U|\leqslant c V\) for some positive constant c, which throughout the paper may depend on the order of the moment \(\nu \).
Here we always assume that t is a prime number, hence \({\mathbb {Z}}_t = {\mathbb {F}}_t\) is a finite field of t elements and hence we can use linear algebra over \({\mathbb {F}}_t\).
Theorem 3.1
For a prime \(t> 2^r\), for any fixed integer \(\nu \geqslant 1\) we have
Proof
Let m be defined by (2.1), that is, m is the length of the binary expansion of t. In particular, by our assumption \(t > 2^r\) we have \(m \geqslant r\).
We start with an observation that the value of \(F_{r,t}({\textbf {z}})^{\nu }\) is equal to the number of solutions to the system of \(\nu \) equations in \(m\nu \) variables \(u_{i,j} \in \{0,1\}\), \(i=1,\ldots , m\), \(j =1, \ldots , \nu \):
Note that the variables \(u_{i,j} \in \{0,1\}\), \(i=1,\ldots , m\), \(j =1, \ldots , \nu \), in (3.1) correspond to \(\nu \) vectors \((\textbf{u}_1, \ldots , \textbf{u}_\nu )\) coming from binary expansions of solutions \(w_1, \ldots , w_\nu \in {{\mathbb {F}}}_t\) to \(\nu \) independent equations \(w_j= S_{r,t,\textbf{z}}(w_j)\), \(j =1, \ldots , \nu \).
We define \(U_{\nu , r}(s)\) to be the set \(\nu \)-tuples of binary vectors \((\textbf{u}_1, \ldots , \textbf{u}_\nu )\) for which the first r components form a matrix of rank s over \( {\mathbb {F}}_t\), that is,
Clearly for every \(\nu \)-tuple \((\textbf{u}_1, \ldots , \textbf{u}_\nu ) \in U_{\nu , r}(s)\) of vectors, the system of congruences (3.1) has at most \(t^{r-s}\) solutions in \({\textbf {z}} \in {\mathbb {Z}}_{t}^{r}\).
We now switch the roles of the binary variables \(u_{i,j} \in \{0,1\}\), \(i=1,\ldots , m\), \(j =1, \ldots , \nu \), and the vectors \({\textbf {z}} \in {\mathbb {Z}}_{t}^{r}\). That is, for each choice of \(u_{i,j} \in \{0,1\}\), \(i=1,\ldots , m\), \(j =1, \ldots , \nu \), we count the number of vectors \({\textbf {z}} \in {\mathbb {Z}}_{t}^{r}\) satisfying (3.1).
We can then bound our summation in terms of \(\# U_{\nu , r}(s)\):
First we note that \(\#U_{\nu , r}(0) = 1 \) as this corresponds to the zero matrix in (3.2) and thus (3.1) implies that the remaining \(m-r\) components of each of the binary vectors \((\textbf{u}_1, \ldots , \textbf{u}_\nu )\) also vanish. Then we have \(t^r\) choices for \(\textbf{z}\). Hence such vectors contribute in total \(t^{r}\) to the case \(s =0\).
To estimate \(\#U_{\nu , r}(s)\) with \(s \geqslant 1\), we note that if we fix s linearly independent vectors
in a family of vectors \((\textbf{u}_1, \ldots , \textbf{u}_\nu ) \in U_{\nu , r}(s)\), then any other vector \(\textbf{u}_j\) belongs to the linear span of \(\textbf{u}_{j_1}, \ldots , \textbf{u}_{j_s}\) over \( {\mathbb {F}}_{t}\). That is,
for some \(a_1, \ldots , a_s\in {\mathbb {F}}_t\). By the Cramer rule we have
for some determinants \(\Delta , \Delta _1, \ldots , \Delta _s\) over \({\mathbb {F}}_t\) forms by the components of the vectors \(\textbf{u}_1, \ldots , \textbf{u}_\nu \) and with \(\Delta \not \equiv 0 \pmod t\). Since all vectors \(\textbf{u}_1, \ldots , \textbf{u}_\nu \) are binary, we easily infer that
see, for example, [10, Problem 523]. Thus, adjusting the signs we see from (3.5) and (3.6) that, regardless of the choice of \(\textbf{u}_{j_1}, \ldots , \textbf{u}_{j_s}\), each vector \((a_1, \ldots , a_s)\) satisfies
(where \(D^{-1}\) is computed modulo t) with some integers
and
and hence there are at most
choices for the vector of the coefficients \((a_1, \ldots , a_s)\) in (3.4).
We emphasise that the meaning of the bound (3.8) is even if the number of possible vectors \((\textbf{u}_1, \ldots , \textbf{u}_\nu ) \in U_{\nu , r}(s)\), and thus the number systems of relations (3.4). grows rapidly with r and t, the number of possible choices for the coefficients \((a_1, \ldots , a_s)\) can be bounded only in terms of s (and thus of \(\nu \)) and therefore independently on r and t.
This implies that when \(\textbf{u}_{j_1}, \ldots , \textbf{u}_{j_s}\) are fixed to satisfy (3.2), there at most \(A_s\) possibilities to form the first r coordinates of each of the other vectors to form a \(\nu \)-tuple \((\textbf{u}_1, \ldots , \textbf{u}_\nu ) \in U_{\nu , r}(s)\), and thus at most \(A_s 2^{m-r}\) possibilities for the whole vector. Since there are at most
choices for \(\textbf{u}_{j_1}, \ldots , \textbf{u}_{j_s}\) we obtain
Since we assume that \(\nu \) is fixed and \(s \leqslant \nu \), this simplifies as
We can now substitute the above bound for \(\#U_{\nu , r}(s)\) in (3.3), getting
Note that we have requested that \(t >2^{r}\), which implies \(t \cdot 2^{-r} > 1\), so
which concludes the proof. \(\square \)
4 Comments
In Theorem 3.1, we have suppressed the dependence on the order of the moments \(\nu \). There are two reasons for this.
First, we do not consider \(\nu \) to be an important parameter. For example, the choice of \(\nu = 2\) already gives us important information and extra technical calculations do not seem to justify the importance of this. However, we provide all necessary estimates for this, if one decides to trace the dependence on \(\nu \). For example, we note that (3.6) is slightly stronger that the classical Hadamard inequality, which is still sufficient for our purposes, since we do not compute the explicit dependence on \(\nu \). Besides the potential contribution to computing explicit dependence on \(\nu \), we also present (3.6) because we believe it deserves to be known more broadly.
The second reason is that before computing the explicit dependence on \(\nu \), one has to attempt to improve the bound (3.8) on the number of distinct vectors which can be solutions to all non-singular systems of s linear congruences modulo t with binary coefficients. This question seems to be of independent interest and certainly deserves further investigation. Certainly one can improve (3.8) by an absolute constant, taking into account that in (3.7) we need only count \(D, D_1, \ldots , D_s\) with
However we are interested in more substantial improvements.
We also would like to note that our approach does not extend on bounding the number of short cycles. For example, we do not have any nontrivial estimate on the number 2-cycles
on average over \(\textbf{z}\in {{\mathbb {F}}}_t^r\), which is another interesting open question.
References
Balog A., Broughan K.A., Shparlinski I.E.: On the number of solutions of exponential congruences. Acta Arith. 148, 93–103 (2011).
Blackburn S.R., Gómez-Pérez D., Gutierrez J., Shparlinski I.E.: Predicting the inversive generator. Lecture Notes Comp. Sci. 2898, 264–275 (2003).
Blackburn S.R., Gómez-Pérez D., Gutierrez J., Shparlinski I.E.: Predicting nonlinear pseudorandom number generators. Math. Comput. 74, 1471–1494 (2005).
Blackburn S.R., Gómez-Pérez D., Gutierrez J., Shparlinski I.E.: Reconstructing noisy polynomial evaluation in residue rings. J. Algorithms 61, 47–90 (2006).
Blakley G., Borosh I.: Rivest-Shamir-Adleman public key cryptosystems do not always conceal messages. Comput. Math. Appl. 5, 169–178 (1979).
Bourgain, J., Konyagin, S.V., Shparlinski, I.E.: Product sets of rationals, multiplicative translates of subgroups in residue rings and fixed points of the discrete logarithm. Intern. Math. Res. Not., 2008, Article rnn090 (2008). (Corrigenda: Int. Math. Res. Not., 2009, 3146–3147) (2009)
Bourgain J., Konyagin S.V., Shparlinski I.E.: Distribution of elements of cosets of small subgroups and applications. Intern. Math. Res. Not. 2012, 1968–2009 (2012).
Chen Z., Winterhof A.: Interpolation of Fermat quotients. SIAM J. Discret. Math. 28, 1–7 (2014).
Cilleruelo J., Garaev M.Z.: Congruences involving product of intervals and sets with small multiplicative doubling modulo a prime and applications. Math. Proc. Camb. Philos. Soc. 160, 477–494 (2016).
Faddeev D.K., Sominskii I.S.: Problems in Higher Algebra. W. H. Freeman, San Francisco (1965).
Felix A.T., Kurlberg P.: On the fixed points of the map \(x \mapsto x^x\) modulo a prime, II. Finite Fields Appl. 48, 141–159 (2017).
Gómez-Pérez D., Gutierrez J., Ibeas Á.: Attacking the Pollard generator. IEEE Trans. Inform. Theory 52, 5518–5523 (2006).
Gutierrez J.: Attacking the linear congruential generator on elliptic curves via lattice techniques. Cryptogr. Commun. 14, 505–525 (2002).
Gutierrez J.: Reconstructing points of superelliptic curves over a prime finite field. Adv. Math. Commun. (2022). https://doi.org/10.3934/amc.2022022.
Gutierrez J., Ibeas Á.: Inferring sequences produced by a linear congruential generator on elliptic curves missing high-order bits. Des. Codes Cryptogr. 41, 199–212 (2007).
Holden, J., Moree, P.:New conjectures and results for small cycles of the discrete logarithm. In: Proceedings of the High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams, Fields Institute Communications, vol. 41, pp. 245–254. Amer. Math. Soc., Providence, RI (2004)
Holden J., Moree P.: Some heuristics and and results for small cycles of the discrete logarithm. Math. Comput. 75, 419–449 (2006).
Impagliazzo R., Naor M.: Efficient cryptographic schemes provably as secure as subset sum. J. Cryptol. 9, 199–216 (1996).
Krawczyk H.: How to predict congruential generators. J. Algorithms 13, 527–545 (1992).
Kurlberg P., Luca F., Shparlinski I.E.: On the fixed points of the map \(x \mapsto x^x\) modulo a prime. Math. Res. Lett. 22, 141–168 (2015).
Lagarias, J. C.: Pseudorandom number generators in cryptography and number theory. in: Proceedings of the Proceedings of Symposia in Applied Mathematics, vol.42, pp. 115–143. Amer. Math. Soc., Providence, RI (1990)
Ostafe A., Shparlinski I.E.: Pseudorandomness and dynamics of Fermat quotients. SIAM J. Discret. Math. 25, 50–71 (2011).
Rueppel R.A.: Analysis and Design of Stream Ciphers. Springer-Verlag, Berlin (1986).
Rueppel R.A.: Stream Ciphers, Contemporary Cryptology: The Science of Information Integrity, pp. 65–134. IEEE Press, New York (1992).
Rueppel R.A., Massey J.L.: Knapsack as a nonlinear function. In: Proceedings of the IEEE International Symposium on Information Theory, p. 46. IEEE Press, NY (1985)
Shparlinski I.E.: Cryptographic Applications of Analytic Number Theory. Birkhäuser, Basel (2003).
Shparlinski I.E.: Dynamical systems of non-algebraic origin: fixed points and orbit lengths. Contemp. Math. 669, 261–283 (2016).
Acknowledgements
The author is very grateful to the referees for the very careful reading of the manuscript and many very useful comments. This work was partially supported by the Australian Research Council Grant DP200100355.
Funding
Open Access funding enabled and organized by CAUL and its Member Institutions
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by L. Mérai.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Shparlinski, I.E. Fixed points of the subset sum pseudorandom number generators. Des. Codes Cryptogr. 91, 2473–2479 (2023). https://doi.org/10.1007/s10623-023-01209-5
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-023-01209-5