1: %&latex
2: %File: C:\MYDIR\PAPERS\To_publ\Uni_eng_3_fin.tex Mon Jan 26 19:12:38 2004
3:
4: \documentclass{amsart}
5: %\usepackage[cp1251]{inputenc}%%% Можно отключить, если компилятор понимает
6: %\usepackage[russian, english]{babel}%% В англ./рус. тексте, в англ. отключить
7: %\usepackage[english,russian]{babel}%% В русском тексте
8: %\usepackage{amsmath}
9: \usepackage{amssymb}
10: %\usepackage{hhline}
11: %\usepackage{amsxtra}
12: %\usepackage{amsthm}
13: %\usepackage{theorem}
14: %\usepackage{showkeys} %%Отключить вообще при чистовой распечатке!!! Чтобы отключить
15: %%ссылки на теоремы, добавить аргумент [notref], чтобы отключить ссылки
16: %%на литературу, добавить [notcite]
17: %\usepackage{showtags}
18:
19: %%%%THEOREM-like environment%%%
20: %\theoremstyle{margin}
21: \swapnumbers
22: \theoremstyle{plain}
23: \newtheorem{thm}{Theorem}[section]
24: \newtheorem{lem}[thm]{Lemma}
25: \newtheorem{prop}[thm]{Proposition}
26: \newtheorem{cor}[thm]{Corollary}
27: \newtheorem{OpQu}[thm]{Open question}
28: \newtheorem*{OpQu*}{Open question}
29: \theoremstyle{definition}
30: \newtheorem{defn}[thm]{Definition}
31: \theoremstyle{remark}
32: \newtheorem{note}[thm]{Note}
33: \newtheorem*{note*}{Note}
34: \newtheorem{exmp}[thm]{Example}
35: \newtheorem*{exmp*}{Example}
36:
37: %%%Numbering of eqns%%%
38: \numberwithin{equation}{thm}
39:
40: %%%Operators%%%
41:
42: \DeclareMathOperator{\ord}{ord}
43: \DeclareMathOperator{\wt}{wt}
44: \DeclareMathOperator{\Wt}{Wt}
45: \DeclareMathOperator{\Coef}{Coef}
46: \DeclareMathOperator*{\Limsup}{\overline\lim}
47: \DeclareMathOperator*{\Liminf}{\underline\lim}
48: \DeclareMathOperator*{\Wr}{\wr}
49:
50: \DeclareMathOperator{\XOR}{\scriptstyle{\mathsf{XOR}}}
51: \DeclareMathOperator{\OR}{\scriptstyle{\mathsf {OR}}}
52: \DeclareMathOperator{\AND}{\scriptstyle{\mathsf {AND}}}
53: \DeclareMathOperator{\NEG}{\scriptstyle{\mathsf {NEG}}}
54:
55: %%%New commands%%%
56: \newcommand{\Z}{\mathbb Z}
57: \newcommand{\Q}{\mathbb Q}
58: \newcommand{\N}{\mathbb N}
59: \newcommand{\R}{\mathbb R}
60:
61: %%%Modified commands%%%
62: \renewcommand{\:}{\colon}
63: \renewcommand{\>}{\rightarrow}
64:
65: \usepackage[backref,% %% При включении пакета showkeys отключить hyperref!!!
66: pagebackref,%
67: %hypertex,%
68: bookmarks=true,%
69: colorlinks=true]%
70: {hyperref}
71: %
72:
73: \hypersetup{%
74: pdfauthor={Vladimir Anashin},
75: pdftitle={Pseudorandom generation with p-adic ergodic
76: transformations}
77: pdfsubject={Pseudorandom generators}
78: pdfkeywords={pseudorandom, p-adic, ergodic}}
79: %
80: \begin{document}
81:
82: \hyphenation{appli-cat-ions cryp-to-gra-phy com-ple-xi-ty com-po-si-ti-ons
83: dis-tan-ce ad-di-ti-on in-effect-ive multi-pli-cat-ion con-junct-ion
84: com-pos-it-ion funct-ions Mau-rer ge-ne-ra-li-z-ed equi-pro-b-ab-le}
85: %
86: %
87: %%CW def's
88: \def\huh{\hbox{\vrule width 2pt height 8pt depth 2pt}}
89: \def\eqnum#1{\eqno (#1)}
90: \def\cwdash{\relbar\joinrel}
91: \def\fnote#1{\footnote}
92:
93:
94: \title[Pseudorandom generators] {Pseudorandom number generation by $p$-adic ergodic
95: transformations}
96: \author{Vladimir Anashin}
97:
98: \address{Faculty of Information Security,
99: Russian State University for the Humanities,\\
100: Kirovogradskaya Str., 25/2, Moscow 113534, Russia}
101:
102: \email{anashin@rsuh.ru, vladimir@anashin.msk.su}
103:
104:
105:
106:
107: \begin{abstract}
108: The paper study counter-dependent pseudorandom generators;
109: the latter are generators such that their state
110: transition function (and output function) is being modified
111: dynamically while working:
112: For such a generator
113: %i.e. generators with
114: the recurrence sequence
115: of states satisfies a congruence
116: $x_{i+1}\equiv f_i(x_i)\pmod{2^n}$, while its output sequence is of the
117: form $z_{i}=F_i(u_i)$. The paper introduces techniques and constructions
118: that enable one to compose
119: generators that output uniformly distributed sequences
120: of a maximum period length and with high linear and $2$-adic spans. The corresponding
121: stream chipher is provably strong against a known plaintext attack (up to
122: a
123: plausible conjecture).
124: Both state
125: transition function and output function could be key-dependent, so the only
126: information available to a cryptanalyst is
127: that these functions belong to some (exponentially large) class.
128: These functions are compositions of standard machine instructions (such
129: as addition, multiplication, bitwise logical operations, etc.) The compositions
130: should satisfy rather loose conditions; so the corresponding generators are
131: flexible enough
132: and could be easily implemented as computer programs.
133: \end{abstract}
134: \keywords{Pseudorandom generator, counter-dependent generator, ergodic transformation, equiprobable
135: function, $p$-adic analysis}
136: \subjclass{11K45, 94A60, 68P25, 65C10}
137:
138: \maketitle
139:
140:
141: \section {Introduction}
142: \label{Intro}
143:
144: The study of ergodic, measure-preserving and equiprobable functions on
145: the space $\mathbb{Z}_p$ of $p$-adic integers in ~\cite{me-1, me-2, me-conf,
146: me-ex} was mainly motivated
147: by possible applications to pseudorandom
148: number generation for cryptography and simulation. In the present paper
149: we
150: consider generators based on these functions, {\slshape prove} that the produced
151: sequences have
152: some (properly defined below) `features of randomness', and calculate {\slshape exact}
153: values
154: of certain (crucial for cryptographic security) parameters of these generators.
155: Namely, we characterize
156: all possible output sequences in the class of all sequences, calculate
157: exact lengths of their periods, distribution of overlapping and non-overlapping
158: $k$-tuples, linear complexity, and $p$-adic span. Also, we demonstrate
159: that with the use of these functions it is possible to construct
160: a stream cipher such that to recover its key is an infeasible problem
161: (up to some plausible conjectures).
162:
163: % Moreover, we give some evidence of practical
164: % non-predictability
165: % of these sequences, and introduce a key distribution protocol which assures
166: % proper distance between each pair of keys
167: % (given two states, the number of steps the generator makes to reach the
168: % second state starting with the first one).
169: % % In other words, the protocol
170: % guarantees that
171: % the key streams generated with different initial keys will not overlap.
172:
173: In fact, the paper introduces certain techniques and constructions that
174: enable one to design
175: %With the use of these techniques it is possible to construct
176: stream ciphers with both state transition and output functions depending on
177: key; yet {\slshape independently of key choice} the corresponding
178: generator always provides predefined
179: values of output sequence parameters, which are
180: mentioned above. These functions are (key-dependent) compositions of (standard)
181: machine instructions:
182: arithmetic ones, such as addition and
183: multiplication (exponentiation and raising to negative powers as well),
184: logical ones, such as $\XOR$, $\OR$, $\AND$, $\NEG$, etc., and others
185: (e.g., shifts, masking). Thus, generators of this kind admit quite natural implementation
186: as a computer program. Such generators are rather flexible: To obtain due performance
187: a programmer could vary length of the composition and choice of
188: machine instructions {\slshape without} affecting the above mentioned probabilistic
189: and cryptographic characteristics.
190:
191: Further, focusing on these ideas we introduce counter-dependent generators;
192: the latter are generators such that their state
193: transition function (and output function) is being modified dynamically while working.
194: To be more exact, for these generators
195: %i.e. generators with
196: the recurrence sequence
197: of states satisfies a congruence
198: $x_{i+1}\equiv f_i(x_i)\pmod{2^n}$, while their output sequence is of the
199: form $z_{i}=F_i(u_i)$. Note that both state transition function $f_i$ and output
200: function $F_i$ depend on the number $i$ of a step; yet newertheless the output
201: sequence is purely periodic, its period length is a multiple of $2^n$,
202: distribution of $k$-tuples, $k\le n$ is uniform, its linear complexity is
203: high, etc.
204: %every sequence consisting
205: %of $j$\textsuperscript{th} bit of $z_i$ (so called $j$\textsuperscript{th}
206: %coordinate sequence) is not less than
207: Moreover, not only $f_i$ and $F_i$ themselves
208: could be keyed, but also the order they are used during encryption.
209: \footnote{The notion of a counter-dependent generator was
210: originally introduced in \cite{ShTs}. However, in
211: our paper we consider this notion in a broader sense: In our counter-dependent
212: generators
213: not only the state
214: transition function, but also the output function depends on $i$. Moreover,
215: in \cite{ShTs} only a particular case of counter-dependent generators
216: is studied; namely, counter-assisted generators and their cascaded and two-step
217: modifications. A state transition function of a counter-assisted generator is
218: of the form $f_i(x)=i\star
219: h(x)$, where $\star$ is a binary quasigroup operation (in particular, group
220: operation, e.g., $+$ or
221: $\XOR$), and $h(x)$ does not depend on $i$.
222: An output function of a counter-assisted generator does not depend
223: on $i$ either. The main security notion studied in \cite{ShTs} is diversity, which
224: generalizes a concept of long cycles. Note that all our generators achieve
225: maximum possible total diversity, which is equal to the order of the output set.}
226:
227: To give an idea of how these schemes look like, consider the following
228: example of a counter-dependent generator modulo $2^n$. Take arbitrary $m\equiv3\pmod 4$,
229: then take $m$ {\slshape arbitrary} compositions $v_0(x),\ldots,v_{m-1}(x)$ of the above
230: mentioned machine instructions (addition, multiplication, $\XOR$, $\AND$,
231: etc.) and constants, then take another $m$ {\slshape arbitrary} compositions
232: $w_0(x),\ldots,w_{m-1}(x)$ of this kind. Arrange two arrays $V$ and $W$
233: writing these $v_j(x)$ and $w_j(x)$ to memory in {\slshape arbitrary} order.
234: Now choose arbitrary $x_0\in\{0,1,\ldots 2^n-1\}$ as a seed. The generator
235: calculates the recurrence
236: sequence of states $x_{i+1}=(i+x_i+2\cdot(v_i(x_i+1)-v_i(x_i)))\bmod 2^n$
237: and outputs the sequence
238: $z_{i}=(1+\pi(x_i)+2\cdot (w_i(\pi(x_i+1))-w_i(\pi(x_i))))\bmod 2^n$,
239: where $\pi$ is a bit order reversing permutation, which reads an $n$-bit
240: number
241: $z\in\{0,1,\ldots, 2^{n}-1\}$ in a reverse bit order; e.g., $\pi(0)=0, \pi(1)=2^{n-1},
242: \pi(2)=2^{n-2},\pi(3)=2^{n-2}+2^{n-1}$, etc. Then the sequence $\{x_i\}$
243: is a purely periodic sequence of period length $2^nm$ of $n$-bit numbers, and each
244: number of $\{0,1,\ldots, 2^{n}-1\}$ occurs at the period exactly $m$ times.
245: Moreover, if we consider $\{x_i\}$ as a binary sequence of period length
246: $2^nmn$, then the frequency each $k$-tuple ($0< k\le n$) occurs in the
247: sequence is exactly $\frac{1}{2^k}$. The output sequence $\{z_i\}$ is also
248: purely
249: periodic of period length $2^nm$, and each number of $\{0,1,\ldots, 2^{n}-1\}$
250: occurs at the period exactly $m$ times either. Moreover,
251: every binary sequence obtained by reading each $s$\textsuperscript{th}
252: bit $\delta_s(z_i)$ ($0\le s\le n-1$) of the output sequence is purely
253: periodic; its period length is a multiple of $2^n$, hence its linear complexity
254: (as well as the one of the whole sequence $\{z_i\}$)
255: exceeds $2^{n-1}$.
256:
257: % discuss a two-stage encryption scheme,
258: % which, at the
259: % first stage, produces in a key-dependent way both the state transition function and
260: % the output function, and then, during the second stage, encrypt a binary plaintext
261: % by XORing it with a pseudorandom sequence, generated by a stream cipher
262: % generator with state transition and output functions produced during the first stage.
263: In fact, for such stream encryption schemes the only information available
264: to a cryptanalist is
265: that both the output and the state transition functions
266: belong to a certain (exponentially large) class of functions, and practically
267: nothing
268: more.
269: % However, independently of key choice, the produced sequence will
270: % have the maximum possible length of period, uniform distribution of $k$-tuples and
271: % other properties, mentioned above (and which exact definitions are given
272: % below in the paper).
273: Thus, practical attacks to such stream encryption scheme seem to be ineffective.
274:
275: We must immediately note here that, strictly speaking, all these results
276: give some evidence, yet {\slshape not the proof} of cryptographic security of
277: these ciphers. We recall, however, that today for no stream cipher based on
278: deterministic algorithm there exists an unconditional mathematical proof of security.
279: We ought to emphasize also that the study of stream encryption schemes
280: below should not be considered as an exaustive cryptographic analysis.
281: The latter one implies a study of attacks against a particular scheme, which numerical
282: parameters have exact predefined values. Loosely speaking, further
283: results could be considered as a `toolkit' for a stream cipher designer,
284: but {\slshape not} as 'make-it-yourself kit': The latter implies detailed
285: `assemble instructions'; following them guarantees an adequate quality of the whole
286: thing. No such instructions are given in the present paper, only some ideas
287: and hints.
288:
289: The paper is organized as follows:
290: \begin{itemize}
291: \item In Section \ref{Prelm} we introduce some basic notions, consider
292: standard machine instructions as continous $2$-adic mappings, describe their
293: properties and prove that under certain very loose conditions the output
294: sequence will be uniformly distributed.
295: \item In Section \ref{sec:Tool} we state a number of results that enable
296: one to construct permutations with a single cycle and equiprobable functions
297: out of standard machine instructions. Moreover, as examples of how these techniques
298: work we reprove some of
299: known results in this area, as well as establish new ones.
300: \item In Section \ref{sec:Constr} we outline several ways of combining
301: functions described in Section \ref{sec:Tool}
302: in automaton that generates uniformly distributed sequence.
303: There we introduce a new construction (called wreath product of automata,
304: by analogy with a corresponding group theory construction)
305: that enables one to build counter-dependent generators with uniformly
306: distributed output sequences of a maximum period length.
307: \item In Section \ref{sec:Prop} we study complexity and distribution
308: of output sequences
309: of automata introduced in Section \ref{sec:Constr}: Linear and $2$-adic spans
310: of these sequences,
311: their structure, distribution of $k$-tuples in them, etc. In particular, we prove that distribution
312: of (overlapping) $k$-tuples is strictly uniform; namely, that these
313: output sequences have a property that could be called a generalized
314: De Bruijn: Being considered as binary sequences, they
315: are purely periodic, their period lengths are multiples of $2^n$, and each
316: $k$-tuple ($k\le n$) occurs at the period the same number of times. From
317: here we deduce
318: that a large class of
319: these sequences satisfy Knuth's criterion Q1
320: \footnote{See \cite[Section 3.5, Definition Q1]{Knuth} } of randomness.
321: \item In Section \ref{sec:Predict} we demonstrate how to construct a stream
322: cipher with intractable key recovery problem conjecturing that a set
323: of $k$
324: multivariate Boolean polynomials define a one-way function (it is known that to determine
325: whether a system of $k$ Boolean polynomials in $n$ variables has a common
326: zero
327: is an NP-complete
328: problem \footnote{See e.g. \cite[Appendix
329: A, Section A7.2, Problem ANT-9]{GJ}}).
330:
331: \end{itemize}
332:
333: % However, as computer simulation tasks (e.g., quasi
334: % Monte Carlo) assume no limitations to practical infeasibility of finding
335: % initial state (key), corresponding to a given output sequence, the
336: % generators described below could be used for these purposes immediately. Machine
337: % experiments which have been undertaken confirm that these generators pass
338: % all commonly used tests (DIEHARD, Maurer's universal test ~\cite{Mau}, NIST tests
339: % ~\cite{NIST})
340: % and some others (such as artificial intelligence test ~\cite{Art}). In fact,
341: % these generators have passed all the tests we could find both in literature
342: % and in the Internet. All this, together with the flexibility of the generators, which
343: % enables a programmer to achive suitable performance, give us a confidence
344: % in practical usefulness of the proposed schemes.
345:
346: \section{Preliminaries}
347: \label{Prelm}
348:
349: Basically, a generator we consider in the paper is a finite automaton
350: ${\mathfrak A}=\langle N,M,f,F,u_0\rangle $ with a finite state set $N$, state
351: transition function
352: $f:N\rightarrow N$, finite output alphabet $M$, output function $F:N\rightarrow M$
353: and an initial state (seed) $u_0\in N$. Thus, this generator produces a sequence
354: $$\mathcal S=\{F(u_0), F(f(u_0)), F(f^{(2)}(u_0)),\ldots, F(f^{(j)}(u_0)),\ldots\}$$
355: over
356: the set $M$, where
357: $$f^{(j)}(u_0)=\underbrace{f(\ldots f(}_{j
358: \;\text{times}}u_0)\ldots)\ \ (j=1,2,\ldots);\quad f^{(0)}(u_0)=u_0.$$
359: Automata of the form $\mathfrak
360: A$ will be considered either as pseudorandom generators per se, or as components
361: of more complicated pseudorandom generators, which are introduced in Section
362: \ref{sec:Constr}; the latter produce pseudorandom
363: sequences
364: $\{z_0,z_1,z_2,\ldots\}$ over $M$ according to the rule
365: $$z_0=F_0(u_0),u_1=f_0(u_0);\ldots
366: z_{i}=F_i(u_i), u_{i+1}=f_i(u_i);\ldots$$
367: That is, at the $(i+1)$\textsuperscript{th} step the automaton
368: $\mathfrak A_i=\langle N,M,f_i,F_i,u_i\rangle $
369: is applied to the state $u_i\in N$, producing a new state $u_{i+1}=f_i(u_i)\in
370: N$, and
371: outputting a symbol $z_{i}=F_i(u_i)\in M$.
372: % Here all the automata
373: % $\mathfrak A_i=\langle N,M,f_i,F_i,u_i\rangle $
374: % have the same state set $N$ and the same
375: % output alphabet $M$.
376:
377: Quite often in the paper we assume
378: that $N=\mathbb I_n(p)=
379: \{0,1,\ldots,p^n\nobreak-\nobreak
380: 1\}$, $M=\mathbb I_m(p)$, $m\le n$, where $p$ is (usually a
381: prime) positive rational integer greater than 1.
382: Moreover, mainly we are focused on the case $p=2$ as the
383: most convenient for computer implementations, and use a shorter notation
384: $\mathbb I_n$ instead of $\mathbb I_n(2)$. As a rule, further we formulate results
385: mainly for this case, making brief remarks for those of them that remain true
386: for arbitrary $p$.
387:
388: %
389: Now let $n=km>1$ (may be, $k=1$) be a positive rational integer. Let the
390: state set $N$ of the above mentioned automaton $\mathfrak A$ be
391: $\mathbb I_n=\{0,1,\ldots,2^n\nobreak-\nobreak
392: 1\}$. Further we will identify the set ${\mathbb I}_n$ either with the set of
393: all elements of the residue class ring $\mathbb Z/2^n$ of integers modulo $2^n$,
394: or with a set $\mathbb
395: W_n(2)$ of all $n$-bit words in the alphabet ${\mathbb I}=\mathbb I_1=\{0,1\}$,
396: or with
397: a set of all elements of a direct product
398: $$(\mathbb Z/2^m)^{(k)}=\underbrace{\mathbb Z/2^m\times\cdots\times \mathbb Z/2^m}_{k
399: \;\text{times}}$$
400: of $k$ copies of the residue class ring $\mathbb Z/2^m$, or with a set $\mathbb W_k(2^m)$ of all words of length
401: $k$ in the alphabet $\mathbb I_m$. In other words, if necessary, we may treat
402: a number $i\in\{0,1,\ldots, 2^n-1\}$ either as an $n$-bit word, or as a $k$-tuple
403: of numbers of $\{0,1,\ldots,2^m-1\}$, or as a $k$-tuple of $m$-bit blocks.
404: %a concatent
405: %of
406:
407: To be more exact, let $\delta_j^{m}(i)\in\mathbb I_m$ be the $j$\textsuperscript{th} digit of
408: a number $i$ in its base-$2^m$ expansion: that is, if
409: $i=i_0+i_1\cdot 2^m +i_2\cdot (2^m)^2+\ldots$, where $i_j\in\mathbb I_m$,
410: $j=0,1,2,\ldots$, then, by definition, $\delta_j^{m}(i)=i_j$. (For $m=1$
411: we usually
412: omit the superscript, when this does not lead to misunderstanding).
413: With these notations, if $i\in\mathbb I_n$, then the word
414: $w_k(i)\in\mathbb W_k(2^m)$ is a concatent
415: $\delta_0^{m}(i)\ldots\delta_{k-1}^{m}(i)$, and a corresponding element
416: $r_k(i)\in(\mathbb Z/2^m)^{(k)}$ is
417: $r_k(i)=(\delta_0^{m}(i),\ldots,\delta_{k-1}^{m}(i))$.
418: Thus, for each
419: $i\in\mathbb I_n$ and for arbitrary mappings
420: $F:(\mathbb Z/2^m)^{(k)}\rightarrow \mathbb Z/2^m$ and $G:\mathbb W_n(2)\rightarrow \mathbb
421: W_k(2^m)$ the expressions $F(i)$ and $G(i)$ are correctly defined: namely,
422: $F(i)$ stands for $F(r_k(i))$, $G(i)$ stands for $G(w_k(i))$. In view of the above mentioned bijections
423: between $\mathbb I_m$ and $\mathbb Z/2^m$, both $F(i)$ and $G(i)$ may be considered
424: as elements of $\mathbb I_m$ and $\mathbb I_n$, respectively.
425:
426: We will need a particular mapping
427: $\pi_s^t :\mathbb W_s(2^t)\rightarrow \mathbb W_s(2^t)$, an order reversing
428: permutation:
429: $\pi_s^t(u_0u_1\ldots
430: u_{s-1})=u_{s-1}u_{s-2}\ldots u_0$, where $u_0,\ldots,u_{s-1}\in\mathbb I_t$.
431: In view of the above conventions, for each $i\in\mathbb I(2^n)$
432: the following expressions are well
433: defined:
434: $\pi_k^m(i),\pi_n^1(i)\in\mathbb I_n$ and $\pi_m^1(\delta_j^{m}(i))\in\mathbb I_m$.
435: In other words, $\pi_n^1(i)$ reads base-2 expansion of $i$ in reverse order,
436: while $\pi_k^m(i)$ reads base-$2^m$ expansion of $i$ in reverse order; e.g.
437: $\pi_4^1(7)=14$, $\pi_2^2(7)=13$. Often, when it is clear within
438: a context, we omit a superscript (sometimes together with a subscript) in $\pi_k^m$.
439:
440: Note that functions $\pi_k^m,\pi_n^1, \delta_j^{m}$, being compositions
441: of arithmetic and logical operators, are easily programmable: so
442: $\delta_j^{m}(i)=\frac{i\AND(2^{mj}(2^m-1))}{2^{mj}}$ (in particular
443: $\delta_j^{1}(i)=\frac{i\AND(2^{j})}{2^{j}}$)
444: is a composition of
445: $\AND$ (bitwise logical multiplication, bitwise conjunction) and left and right shifts, $\pi_n^1(i)=\delta_{n-1}^1(i)+\delta_{n-2}^1(i)\cdot 2+\cdots+\delta_0^1(i)\cdot
446: 2^{n-1}$. Note that for certain $m,n$ both $\delta_j^{m}(i)$ and $\pi_n^1(i)$
447: are just a machine instruction (e.g., `read $j$\textsuperscript{th} memory cell', the latter
448: assumed to be $m$-bit) or with
449: use of writing to and reading from memory. For instance, byte order reversing
450: permutation
451: $\pi_k^8$ could be implemented with the use of stack writing-reading, whereas
452: $\pi_8^1$ could be stored in memory as one-dimensional byte array (the $i$\textsuperscript{th} byte
453: is $\pi_8^1(i)$); then $\pi_k^8$ and $\pi_8^1$ could be combined in an
454: easy program to obtain $\pi_n^1$. Also we notice that in fact
455: one uses
456: the mapping $\pi_n^1$ in simulation tasks when he converts integer output $s_0,s_1,\ldots$
457: $(s_i\in\{0,1,\ldots, 2^n-1\})$ of a pseudorandom number generator into real
458: numbers $\{\frac{s_0}{2^n},\frac{s_1}{2^n},\ldots\}$ of unit interval.
459:
460: It worth mentioning here that, according to the above settled conventions,
461: we can consider bitwise logical operators (such as $\XOR$, $\AND$, etc.)
462: as functions defined on the set $\mathbb N_0=\{0,1,2,\ldots\}$: We merely represent
463: variables in their base-2 expansions (e.g., $1\XOR 3=2$, $1\AND 3=1$).
464: An $m$-bit right shift is just a multiplication by $2^m$, whereas an $m$-bit
465: left shift is integer division by $2^m$, i.e., $\lfloor\frac{\cdot}{2^m}\rfloor$,
466: with $\lfloor\alpha\rfloor$ being the greatest rational integer that does
467: not exceed $\alpha$. Note that throughout the paper we represent integers $i$
468: in reverse bit order ---
469: less significant bits left, according to their occurrences in $2$-adic
470: canonical representation
471: of $i=\delta_0(i)+\delta_1(i)\cdot 2+\delta_2(i)\cdot 4+\ldots$; so
472: $0011$ is $12$, and not $3$.
473:
474: Functions $\pi_s^t$ together with arithmetic operations (addition and multiplication)
475: as well as bitwise logical operations (such as $\XOR$, $\AND$) and other
476: ``machine"
477: ones (such as left and right shifts) are ``building blocks" of pseudorandom
478: generators studied below, so for reader's convenience we list the corresponding
479: operators
480: here,
481: supplying them by definitions and comments, if necessary.
482:
483: Bitwise logical operators are defined by the following congruences, which
484: must hold for all $u,v\in\mathbb
485: N_0$ (or, equivalently, for all $u,v\in\mathbb Z_2$) and for all $j=0,1,2,\ldots$.
486: \begin{equation}
487: \label{eq:opBinLog}
488: \begin{split}
489: &\XOR,\ {\text {\rm or}}\ \oplus\, {\text{\rm , a bitwise `exclusive or' operator:}}\
490: \delta_j(u \XOR v)\equiv\\
491: &\delta_j(u)+\delta_j(v)\pmod 2;\\
492: &\AND,\ {\text {\rm or}}\ \wedge {\text
493: {\rm , a bitwise `and' operator, bitwise conjunction:}}\ \delta_j(u \AND v)\equiv\\
494: &\delta_j(u)\cdot\delta_j(v)\pmod 2;\\
495: &\OR,\ {\text {\rm or}}\ \vee {\text
496: {\rm , a bitwise `or' operator, bitwise disjunction:}}\ \delta_j(u \OR v)\equiv\\
497: &\delta_j(u)+\delta_j(v)+\delta_j(u)\cdot\delta_j(v) \pmod 2;\\
498: &\NEG,\ {\text {\rm or}}\ \neg\,
499: {\text{\rm , a bitwise negation:}}\ \delta_j(\NEG(u))\equiv\\
500: &\delta_j(u)+1\pmod 2.
501: \end{split}
502: \end{equation}
503: %\end{multiline}
504: %\renewcommand{\theenumi}{\alph{enumi}}
505: % \begin{enumerate}
506: % \item $\delta_j(u \XOR v)\equiv\delta_j(u)+\delta_j(v)\pmod 2$ (bitwise
507: % `exclusive or' operator);
508: % \item
509: % $\delta_j(u \AND v)\equiv\delta_j(u)\cdot\delta_j(v)\pmod 2$ (bitwise
510: % `and' operator, bitwise conjunction);
511: % \item
512: % $\delta_j(u \OR v)\equiv\delta_j(u)+\delta_j(v)+\delta_j(u)
513: % \cdot\delta_j(v) \pmod 2$ (bitwise `or' operator, bitwise disjunction);
514: % \item $\delta_j(\NEG(u))\equiv\delta_j(u)+1\pmod 2$ (bitwise negation).
515: % \end{enumerate}
516: %
517: The other bitwise logical operators (originating from e.g. implication,
518: etc.) could be defined by the analogy.
519:
520: Note that all these operators are
521: defined on the set $\mathbb N_0$ of non-negative rational integers. Moreover,
522: they are defined on the set $\mathbb Z_2$ of all $2$-adic integers (see \cite{me-1,
523: me-2}). The latter ones within the context of this paper could be thought
524: of as countable infinite binary sequences with members indexed by $0,1,2,\ldots$
525: . Sequences with only finite number of $1$'s correspond to non-negative
526: rational integers in their base-2 expansions, sequences with only finite
527: number of $0$'s correspond to negative rational integers, while eventually periodic
528: sequences correspond to rational numbers represented by irreducible fractions
529: with odd denominators:
530: for instance, $3=11000\ldots$, $-3=10111\ldots$, $\frac{1}{3}=11010101\ldots$,
531: $-\frac{1}{3}=101010\ldots$. So $\delta_j(u)$ for $u\in\mathbb Z_2$ is merely
532: the $j$\textsuperscript{th} member of the corresponding sequence.
533:
534: Arithmetic operations
535: (addition and multiplication) with these sequences could be defined via standard
536: algorithms of addition and multiplication of natural numbers represented in base-2
537: expansions: Each member of a sequence, which corresponds to a sum (respectively,
538: to product) of two given sequences, will be calculated
539: by these algorithms within a finite number of steps.
540:
541: Thus, $\mathbb Z_2$ is
542: a commutative ring with respect to the so defined addition and multiplication.
543: It is a metric space with respect to the distance $d_2(u,v)$ defined by the following
544: rule: $d_2(u,v)=\|u-v\|_2=\frac{1}{2^n}$, where $n$ is the smallest non-negative
545: rational integer such that
546: $\delta_n(u)\ne\delta_n(v)$, and $d_2(u,v)=0$ if no such $n$ exists (i.e.,
547: if $u=v$). For instance $d_2(3,\frac{1}{3})=\frac{1}{8}$.
548: With the use
549: of this distance it is possible to define convergent sequences, limits,
550: continuous functions and derivatives in $\mathbb
551: Z_2$.
552:
553: For instance, with respect to the so defined distance, the folowing sequence
554: tends
555: to $-1$,
556: $$1,3,7,15,31,\ldots,2^n-1,\ldots\xrightarrow[d_2]{}-1,$$
557: bitwise logical operators (such as $\XOR, \AND$) define continuous
558: functions in two variables, the function $f(x)=x \XOR a$ is differentiable
559: everywhere on $\mathbb Z_2$ for every rational integer $a$: Its derivative
560: is $-1$ for negative $a$, and $1$ in the opposite case (see \ref{DerLog}
561: %and \ref{exDer}
562: for other examples of this
563: kind and more detailed calculations).
564:
565: Reduction
566: modulo $2^n$ of a $2$-adic integer $v$, i.e., setting all members of the
567: corresponding sequence with indexes greater than $n-1$ to zero (that is,
568: taking the first $n$ digits in the representation of $v$) is just an approximation
569: of a $2$-adic integer
570: $v$ by a rational integer with accuracy $\frac{1}{2^n}$: This approximation
571: is an $n$-digit positive rational integer $v \AND (2^n-1)$; the latter will
572: be denoted also as $v\bmod{2^n}$. For formal introduction to $p$-adic
573: analysis, precise notions and results see e.g. \cite{Mah} or \cite{Kobl}.
574: % We note, however, that
575: % the proofs of the present paper (with the only exception of \ref{2-comp}
576: % and \ref{AnyHalfPer}), contrasting to those of
577: % \cite{me-1, me-2}, do not involve $p$-adic
578: % techniques.
579: %
580:
581: Arithmetic and bitwise logical operations are not independent:
582: Some of them could be expressed via the others. For instance, for all
583: $u,v\in\mathbb Z_2$
584: \begin{equation}
585: \label{eq:id}
586: \begin{split}
587: &\NEG (u)=u \XOR (-1);\\
588: &\NEG (u)+u=-1;\\
589: &u \XOR v = u+v-2(u \AND v);\\
590: &u \OR v = u+v-(u \AND v);\\
591: &u \OR v=(u \XOR v)+(u \AND v).
592: \end{split}
593: \end{equation}
594: %$$\displaylines {\qquad\NEG (u)=u \XOR (-1);\hfill\cr
595: % \qquad\NEG (u)+u=-1;\hfill\cr
596: % \qquad u \XOR v = u+v-2(u \AND v);\hfill\cr
597: % \qquad u \OR v = u+v-(u \AND v);\hfill\cr
598: % \qquad u \OR v=(u \XOR v)+(u \AND v).\hfill\cr}$$
599: Proofs of these
600: identities \eqref{eq:id} are just an exercise: For example, if
601: $\alpha ,\beta\in\{0,1\}$ then $\alpha\oplus \beta=\alpha+\beta -2\alpha\beta$
602: and $\alpha\vee \beta=\alpha+\beta -\alpha\beta$. Hence:
603: \begin{multline*}
604: u \XOR v =\sum_{i=0}^\infty 2^i(\delta_i (u)\oplus \delta_i (v))= \sum_{i=0}^\infty
605: \sum_{i=0}^\infty 2^i(\delta_i (u)+\delta_i (v)-2\delta_i (u)\delta_i (v))=\\
606: \sum_{i=0}^\infty 2^i(\delta_i (u))+\sum_{i=0}^\infty 2^i(\delta_i (v))-
607: 2\cdot\sum_{i=0}^\infty 2^i(\delta_i (u)\delta_i (v))=u+v-2(u \AND v).
608: \end{multline*}
609: Proofs of the rest identities could be made by analogy
610: and thus are omitted. Right shift (towards more
611: significant digits), as well as masking and reduction modulo $2^m$ could
612: be derived from the above operations: An $m$-step shift of $u$ is $2^m u$;
613: masking of $u$ is $u \AND M$, where $M$ is an integer, which base-2 expansion
614: is a mask (i.e., a string of $0$'s and $1$'s); reduction modulo $2^m$, i.e.,
615: taking the least non-negative residue of $u$ modulo $2^m$ is $u \bmod 2^m=u
616: \AND (2^m-1)$.
617:
618: A common feature the above mentioned arithmetic, bitwise logical and mashine
619: operations share is that they all, with the only exception of shifts towards less significant
620: bits, are {\it compatible}, i.e. $\omega(u,v)\equiv\omega(u_1,v_1)\pmod{2^r}$
621: whenever both congruences $u\equiv u_1\pmod{2^r}$ and $v\equiv v_1\pmod{2^r}$ hold
622: simultaneously. The notion of a compatible mapping could be naturally generalized
623: to mappings $(\mathbb Z/p^l)^{(t)}\rightarrow(\mathbb Z/p^l)^{(s)}$ and
624: $(\mathbb Z_p)^{(t)}\rightarrow(\mathbb Z_p)^{(s)}$; compatible
625: mappings of the latter kind could be also considered as those satisfying
626: Lipschitz condition with coefficient 1 (with respect to $p$-adic distance),
627: see \cite{me-2}.
628: Obviously, a composition of compatible mappings
629: is a compatible mapping. We list now some important examples of compatible
630: operators $(\mathbb Z_p)^{(t)}\rightarrow(\mathbb Z_p)^{(s)}$, $p$ prime (see
631: \cite{me-2}). Part of them originates from arithmetic operations:
632:
633: %\renewcommand{\theenumiii}
634: \begin{equation}
635: \begin{split}
636: & {\text {\rm multiplication,}}\ \cdot:\ (u,v)\mapsto uv;\\
637: & {\text {\rm addition,}}\ +:\ (u,v)\mapsto u+v;
638: \\
639: & {\text {\rm subtraction,}}\ -:\ (u,v)\mapsto u-v;
640: \\
641: & {\text {\rm exponentiation,}}\ \uparrow_p:\ (u,v)\mapsto u\uparrow_p v=(1+pu)^v;
642: \ {\text{\rm in particular,}}
643: \\
644: & {\text {\rm raising to negative powers}},\ u\uparrow_p(-r)=(1+pu)^{-r}, r\in\mathbb N;
645: \ {\text{\rm and}}
646: \\
647: & {\text {\rm division,}}\ /_p: u/_pv=u\cdot (v\uparrow_p(-1))=\frac{u}{1+pv}.
648: \label{eq:opAr}
649: \end{split}
650: \end{equation}
651:
652: The other part originates from digitwise logical operations of $p$-valued logic:
653: \begin{equation}
654: \label{eq:opLog}
655: \begin{split}
656: & {\text {\rm digitwise multiplication}}\ u\odot_p v: \delta_j(u\odot_p
657: v)\equiv \delta_j (u)\delta_j (v)\pmod p;\\
658: & {\text {\rm digitwise addition}}\
659: u\oplus_p v: \delta_j(u\oplus_p
660: v)\equiv \delta_j (u)+\delta_j (v)\pmod p;\\
661: & {\text {\rm digitwise subtraction}}\
662: u\ominus_p v: \delta_j(u\ominus_p
663: v)\equiv \delta_j (u)-\delta_j (v)\pmod p.
664: \end{split}
665: \end{equation}
666: Here
667: $\delta_j(z)$ $( j=0,1,2,\ldots)$
668: stands for the $j$\textsuperscript{th} digit of $z$ in its base-$p$ expansion.
669:
670: More compatible mappings could be derived from the above mentioned
671: ones. For instance, a reduction modulo $p^n$, $n\in\mathbb N$, is $u\bmod p^n= u\odot_p
672: \frac{p^n-1}{p-1}$, an $l$-step shift towards more significant digits is just
673: a multiplication by $p^l$, etc. Obviously, $u\odot_2 v=u\AND v$, $u\oplus_2
674: v=u\XOR v$.
675:
676: In case $p=2$ compatible mappings could be characterized in terms of Boolean
677: functions. Namely, each mapping $T\colon\mathbb Z/2^n\rightarrow\mathbb Z/2^n$
678: could be
679: considered as an ensemble of $n$ Boolean functions $\tau_i^T(\chi_0,\ldots,\chi_{n-1})$,
680: $i=0,1,2,\ldots,n-1$,
681: in $n$ Boolean variables $\chi_0,\ldots,\chi_{n-1}$ by assuming $\chi_i=\delta_i(u)$,
682: $\tau_i^T(\chi_0,\ldots,\chi_{n-1})=\delta_i(T(u))$
683: for $u$ running from $0$ to $2^n-1$. The following proposition
684: holds.
685: \begin{prop}
686: \label{Bool}
687: {\rm (\cite[Proposition 3.9]{me-1})}
688: A mapping $T\colon\mathbb Z/2^n\rightarrow\mathbb Z/2^n$
689: {\rm (}accordingly, a mapping $T\colon\mathbb Z_2\rightarrow\mathbb Z_2${\rm
690: )}
691: is compatible
692: iff each Boolean function $\tau_i^T(\chi_0,\chi_{1},\ldots)=\delta_i(T(u))$,
693: $i=0,1,2,\ldots$,
694: does not depend on variables $\chi_{j}=\delta_j(u)$ for $j>i$.
695: \end{prop}
696: \begin{note*}
697: Mappings satisfying conditions of the proposition are also known
698: as {\it triangle} mappings. The proposition after proper restatement (in
699: terms of functions of $p$-valued logic) also holds for
700: odd prime $p$. For multivariate mappings the theorem \ref{Bool} holds either:
701: a mapping $T=(t_1,\ldots,t_s)\colon\mathbb (Z_2)^{(r)}\rightarrow\mathbb
702: (Z_2)^{(s)}$ is compatible
703: iff each Boolean function $\tau_i^{t_j}(\chi_{1,0},\chi_{1,1},\ldots,
704: \chi_{r,0},\chi_{r,1},\ldots)=\delta_i(t_k(u,\ldots,u_r))$ ($i=0,1,2,\ldots$,
705: $k=0,1,\ldots,s$) does not depend on variables $\chi_{\ell,j}=\delta_j(u_{\ell})$
706: for $j>i$ ($\ell=1,2,\ldots,r$).
707: \end{note*}
708:
709: Now, given a compatible mapping $T\colon\mathbb Z_2\rightarrow\mathbb Z_2$, one
710: can define an
711: induced mapping
712: $T\bmod2^n\colon\mathbb Z/2^n\rightarrow\mathbb Z/2^n$
713: by assuming $(T\bmod 2^n)(z) =T(z)\bmod 2^n=(T(z))\AND(2^n-1)$
714: for $z=0,1,2,\ldots,2^n-1$. The induced mapping is obviuosly a
715: compatible mapping of the ring $\mathbb Z/2^n$ into itself. For odd prime
716: $p$, as well as for multivariate case
717: $T\colon(\mathbb Z_p)^{(s)}\rightarrow(\mathbb Z_p)^{(t)}$
718: an induced mapping $T\bmod p^n$ could be defined by the analogy.
719: \begin{defn}
720: \label{def:erg}
721: (See \cite{me-2}). We call a compatible mapping $T\colon\mathbb Z_p\rightarrow\mathbb Z_p$
722: {\it bijective modulo $p^n$} iff the induced mapping $T\bmod p^n$ is a permutation
723: on $\mathbb Z/p^n$; we call $T$ {\it transitive modulo $p^n$}, iff $T\bmod p^n$
724: is a permutation with a single cycle. We say that $T$ is {\it
725: measure-preserving}
726: (respectively, {\it ergodic}),
727: iff $T$ is bijective (respectively, transitive) modulo $p^n$ for all $n\in\mathbb N$.
728: We call a compatible mapping
729: $T\colon(\mathbb Z_p)^{(s)}\rightarrow(\mathbb Z_p)^{(t)}$
730: {\it equiprobable modulo $p^n$} iff the induced mapping $T\bmod p^n$ maps
731: $(\mathbb Z/p^n)^{(s)}$ onto $(\mathbb Z/p^n)^{(t)}$, and each element of
732: $(\mathbb Z/p^n)^{(t)}$ has the same number of preimages in $(\mathbb Z/p^n)^{(s)}$.
733: A mapping $T\colon(\mathbb Z_p)^{(s)}\rightarrow(\mathbb Z_p)^{(t)}$ is called
734: {\it equiprobable} iff it is equiprobable modulo $p^n$ for all $n\in\mathbb
735: N$.
736: \end{defn}
737: \begin{note*} The terms measure-preserving, ergodic and equiprobable originate
738: from the theory of dynamical systems. Namely, the compatible mapping
739: $T\colon\mathbb Z_p\rightarrow\mathbb Z_p$ defines a dynamics on the measurable
740: space
741: $\mathbb Z_p$ with a probabilistic measure that is normalized Haar measure.
742: The mapping $T$ is, e.g., ergodic with respect to this measure (in the
743: sence of the theory of dynamical systems) iff it satisfies \ref{def:erg},
744: see \cite{me-2} for details.
745: \end{note*}
746:
747: Both transitive modulo $p^n$ and equiprobable modulo $p^n$ mappings will
748: be used as building blocks of pseudorandom generators to provide both large
749: period
750: length and uniform distribution of output sequences. The following obvious
751: proposition holds.
752: \begin{prop}
753: \label{prop:Auto}
754: If the state transition function $f$ of the automaton $\mathfrak A$ is
755: transitive on the state set $N$, i.e., if $f$ is a permutation with a single cycle
756: of length $|N|$, if, further, $|N|$ is a multiple of $|M|$, and if the output function
757: $F:N\rightarrow M$ is equiprobable
758: {\rm (}i.e., $|F^{-1}(s)|=|F^{-1}(t)|$ for all $s,t\in M${\rm )}, then the output sequence
759: $\mathfrak S$ of the automaton $\mathfrak A$ is purely periodic with period length $|N|$
760: {\rm (i.e., maximum possible)}, and each element of
761: $M$ occurs at the period the same number of times: $\frac{|N|}{|M|}$ exactly. {\rm
762: That
763: is, the
764: output sequence $\mathfrak S$ is uniformly distributed.}
765: \end{prop}
766: \begin{defn}
767: \label{def:strict}
768: Further in the paper we call a sequence $\{s_i\in M\}$ over a finite set
769: $M$ {\it strictly uniformly
770: distributed} iff it is purely periodic with period length $t$,
771: and with every element of $M$ occuring at the period the same number of times,
772: i.e., exactly $\frac{t}{|M|}$. A sequence $\{s_i\in \mathbb Z_p\}$ of $p$-adic
773: integers is called {\it strictly uniformly
774: distributed modulo $p^k$} iff a sequence $\{s_i\bmod p^k\}$ of residues
775: modulo $p^k$ is strictly uniformly distributed over a residue ring $\mathbb Z/p^k$.
776: Also, we say that a sequence is purely periodic of period length {\it exactly}
777: $t$ iff it has no periods of lengths smaller than $t$. In this case $t$
778: is called the {\it exact period length} of the sequence.\footnote{An exact
779: period length is also called {\it the smallest period} of a sequence. We
780: do not use this term to avoid misunderstanding, since we consider a period
781: as a repeating part of a sequence.}
782: \end{defn}
783: \begin{note*} A sequence $\{s_i\in \mathbb Z_p\colon i=0,1,2,\ldots\}$ of $p$-adic
784: integers is uniformly distributed (with respect to a normalized Haar measure
785: $\mu$ on $\mathbb
786: Z_p$) \footnote{i.e., $\mu(a+p^k\Z_p)=p^{-k}$ for all $a\in\Z_p$ and all
787: $k=0,1,2.\ldots$} iff it is uniformly distributed modulo $p^k$ for all $k=1,2,\ldots$;
788: that is, for every $a\in\mathbb Z/p^k$ relative numbers of occurences
789: of $a$ in the initial segment of length $\ell$ in the sequence
790: $\{s_i\bmod p^k\}$ of residues
791: modulo $p^k$
792: are asymptotically equal,
793: i.e.,
794: $\lim_{\ell\to\infty}\frac{A(a,\ell)}{\ell}=\frac{1}{p^k}$, where
795: $A(a,\ell)=|\{s_i\equiv a\pmod{p^k}\colon i<\ell\}|$(see \cite{KN} for
796: details). So strictly uniformly distributed sequences are uniformly distributed
797: in the common sence of theory of distributions of sequences.
798: \end{note*}
799:
800: Thus,
801: putting $N=\mathbb Z/2^n, M=\mathbb Z/2^m, n=km$, and taking as $f$ and $F$
802: respectively, $f=\overline f=\widetilde f\bmod {2^n}$ and $F=\overline
803: F=
804: \widetilde F\bmod{2^m}$,
805: where the function $\widetilde f:\mathbb Z_2\rightarrow \mathbb Z_2$ is
806: compatible and ergodic, and the function
807: $\widetilde F:(\mathbb Z_2)^{(k)}\rightarrow \mathbb Z_2$ is compatible
808: and equiprobable, we obtain an automaton that generates a uniformly
809: distributed periodic sequence, and the length of a period of this sequence
810: is $2^n$.
811: That is, each
812: element of $\mathbb Z/2^m$ occurs at the period the same number of times
813: (namely,
814: $2^{n-m}$). Obviously, the conclusion holds if one takes as
815: $F$ an arbitrary composition of the function
816: $\overline F=\widetilde F\bmod{2^m}$ and an equiprobable function: for
817: instance, one may put $F(i)=\overline F(\pi_n(i))$ or $F(i)=\delta_j^{m}(i)$,
818: etc. Also, the assertion is true for odd prime $p$ either.
819: Since all the automata considered further in the paper are of this kind,
820: their output sequences (considered as sequences over $\mathbb Z/p^m$) are
821: uniformly distributed purely periodic sequences, and the length of their
822: periods is $p^n$,
823: {\slshape independently of choise} both of the function $\widetilde f$ and of
824: the function $\widetilde F$. So, the proposition \ref{prop:Auto} makes it possible
825: to vary both the state transition and the output functions (for instance, to
826: make them key-dependent) {\slshape without} affecting uniform distribution of
827: the output sequence.
828:
829: Of course, to make all this practicable, one needs to choose these functions
830: $f$ and $F$ from suitably large
831: classes of ergodic and equiprobable functions. In other words, one has
832: to obtain certain tools to produce a number of various measure preserving,
833: ergodic, and equprobable mappings out of elementary compatible functions
834: like \eqref{eq:opBinLog} and \eqref{eq:opAr}. We consider these tools in the
835: next section, as well as give some estimates of how the produced classes
836: are big.
837:
838: % These functions were described
839: % in \cite{me-1, me-2, me-conf, me-ex}.
840: %
841: % We recall some of the relevant results.
842: %
843: \section{Tools}
844: \label{sec:Tool}
845: In this section we introduce various techniques that enable one to construct
846: measure preserving and/or ergodic mappings, as well as to verify whether
847: a given mapping is measure preserving or, respectively, ergodic. We are
848: mainly focused at the class of compatible mappings.
849: \subsection*{Using interpolation series and polynomials}
850:
851: The general characterization of compatible ergodic functions is given by
852: the following
853: \begin{thm}
854: \label{ergBin}
855: {\rm{(\cite{me-1},\cite{me-conf})}}
856: A function $f\colon{\mathbb Z}_{2}\rightarrow {\mathbb Z}_{2}$
857: is compatible iff it could be represented as
858: \begin{equation*}
859: f(x)=c_0+\sum^{\infty }_{i=1}c_{i}\,2^{\lfloor \log_2 i \rfloor}\binom{x}{i}
860: \qquad (x\in\mathbb Z_2);
861: \end{equation*}
862: The function $f$
863: is compatible and measure-preserving iff it could be represented as
864: \begin{equation*}
865: f(x)=c_0+x+\sum^{\infty }_{i=1}c_{i}\,2^{\lfloor \log_2 i \rfloor +1}\binom{x}{i}
866: \qquad (x\in\mathbb Z_2);
867: \end{equation*}
868: The function
869: $f$
870: is compatible and ergodic iff it could be represented as
871: \begin{equation*}
872: f(x)=1+x+\sum^{\infty}_{i=1}c_{i}2^{\lfloor \log_{2}(i+1)\rfloor+1}\binom{x}{i}
873: \qquad (x\in\mathbb Z_2),
874: \end{equation*}
875: where $c_0,c_1, c_2 \ldots \in {\mathbb Z}_2$.
876: \end{thm}
877: Here, as usual,
878: %\left(\matrix x\\ i\endmatrix\right)
879: \begin{equation*}
880: \binom{x}{i}=
881: \begin{cases}\dfrac{x(x-1)\cdots (x-i+1)}{i!},
882: & \text {for $i=1,2,\ldots$};\cr 1, & \text{for $i=0$},
883: \end{cases}
884: \end{equation*}
885: and $\lfloor\alpha\rfloor$ is the integral part of $\alpha$, i.e.,
886: the largest rational integer not exceeding $\alpha$.
887: %$\left(\matrix x\\ 0\endmatrix\right)=1$;
888: % where $a_{i}\in {\mathbb Z}_{p}$
889: % (in particular, for $a_{i}\in {\mathbb Z}$), $i=0,1,2,\ldots $ .
890: %
891: \begin{note*}
892: For odd prime $p$ an analogon of the statement of theorem \ref{ergBin}
893: provides
894: only sufficient conditions for ergodicity (resp., measure preservation)
895: of $f$: namely, if $(c_0,p)=1$,
896: i.e., if $c$ is a unit (=invertible element) of $\mathbb Z_p$, then the
897: function
898: $f(x)=c+x+\sum^{\infty}_{i=1}c_{i}p^{\lfloor \log_{p}(i+1)\rfloor+1}\binom{x}{i}$
899: defines a compatible and ergodic mapping of $\mathbb Z_p$ onto itself,
900: and
901: the
902: function
903: $f(x)= c_0+c\cdot x+\sum^{\infty}_{i=1}c_{i}p^{\lfloor \log_{p}i\rfloor+1}\binom{x}{i}$
904: defines a compatible and measure preserving mapping of $\mathbb Z_p$ onto itself
905: see \cite[Theorem 2.4]{me-2}.
906: \end{note*}
907: Thus, in view of theorem \ref{ergBin} one can choose a state transition
908: function to be a polynomial with rational (not necessarily integer)
909: key-dependent coefficients setting $c_i=0$ for all but finite number of $i$.
910: Note that to determine whether a given polynomial $f$ with rational (and not
911: necessarily integer) coefficients is integer valued (that is, maps $\mathbb
912: Z_p$ into itself), compatible and ergodic, it is sufficient to determine
913: whether it
914: induces a cycle on $O(\deg f)$ integral points. To be more exact, the following
915: proposition holds.
916: \begin{prop}
917: \label{prop:Qpol}
918: {\rm(see \cite[Proposition 4.2 (4.7 in preprint)]{me-2})}
919: A polynomial $f(x)\in {\Q}_{p}[x]$ is integer valued, compatible, and ergodic
920: {\rm (}resp., measure preserving{\rm)} iff
921: $$z\mapsto f(z)\bmod p^{\lfloor
922: \log_p (\deg f)\rfloor +3},$$
923: where $z$
924: runs through $0,1,\ldots,p^{\lfloor
925: \log_p (\deg f)\rfloor +3}-1$, is compatible and transitive
926: {\rm (}resp., bijective{\rm)} mapping
927: %задает совместимую и транзитивную функцию на кольце вычетов
928: of the residue ring $\Z/p^{\lfloor
929: \log_p (\deg f)\rfloor +3}$ onto itself.
930: \end{prop}
931:
932: Despite
933: it is not very essential for further considerations, we note, however, that
934: the series in the statement of \ref{ergBin} and of the note thereafter are
935: uniformly convergent with respect to $p$-adic distance. Thus
936: the mapping $f\colon\mathbb Z_p\rightarrow\mathbb Z_p$ is well-defined
937: and continuous with respect to $p$-adic distance,
938: see
939: \cite[Chapter 9]{Mah}.
940:
941: Theorem \ref{ergBin} enables one to use exponentiation in design of
942: generators that are transitive modulo $2^n$ for all $n=1,2,3,\ldots$
943: (on exponential generators see e.g. \cite{LinRec}).
944:
945: \begin{exmp}
946: \label{expGen}
947: For any odd $a=1+2m$ a function $f(x)=ax+a^x$ defines
948: a transitive modulo $2^n$
949: generator $x_{i+1}=f(x_i)\bmod 2^n$.
950:
951: Indeed, in view of \ref{ergBin} the function $f$ defines a compatible and ergodic
952: mapping of $\mathbb Z_2$ onto $\mathbb Z_2$
953: since $f(x)=(1+2m)x+(1+2m)^x=x+2mx+\sum_{i=0}^\infty m^i 2^i\binom{x}{i}=
954: 1+x+4m\binom{x}{1}+
955: \sum_{i=2}^\infty m^i 2^i\binom{x}{i}$ and $i\ge\lfloor\log_2(i+1)\rfloor+1$
956: for all $i=2,3,4,\ldots$.
957:
958: Such a generator could be of practical value since it uses not more than
959: $n+1$ multiplications modulo $2^n$ of $n$-bit numbers; of course, one should
960: use calls to the table
961: $a^{2^j}\bmod{2^n}$, $j=1,2,3,\ldots,n-1$. The latter table must be precomputed,
962: corresponding calculations involve $n-1$ multiplications modulo $2^n$. Obviously,
963: one can use $m$ as a long-term key, with the initial state $x_0$ being
964: a short-term
965: key, i.e., one changes $m$ from time to time, but uses new $x_0$ for each
966: new message. Obviously, without a properly
967: choosen output function such a generator is not secure. The choice of output
968: function in more details is discussed further in the paper.
969:
970: \end{exmp}
971: \begin{note*}
972: A similar argument shows that for every prime
973: $p$ and every $a\equiv 1\pmod
974: p$ the function $f(x)=ax+a^x$ defines a compatible and ergodic mapping
975: of $\mathbb Z_p$ onto itself.
976: \end{note*}
977:
978:
979: For polynomials with (rational or $p$-adic) integer coefficients
980: theorem \ref{ergBin} may be restated in the following form.
981: \begin{prop}
982: \label{ergPol}
983: {\rm (See \cite[Corollary 4.11]{me-1}, \cite[Corollary 4.7]{me-conf})}
984: Represent a polynomial $f(x)\in\mathbb Z_2[x]$ in a basis of descending
985: factorial powers
986: $$
987: x^{\underline 0}=1,\ x^{\underline 1}=x,\ x^{\underline 2}=x(x-1),\ldots,\
988: x^{\underline i}=x(x-1)\cdots(x-i+1),\ldots,$$
989: i.e., let
990: $$f(x)=\sum^{d}_{i=0}c_i\cdot x^{\underline i}$$
991: for $c_0,c_1,\dots,c_d\in\mathbb Z_2$. Then the polynomial $f$ induces
992: an ergodic {\rm (and, obviously, a compatible)} mapping of $\mathbb Z_2$ onto
993: itself iff its coefficients $c_0,c_1,c_2, c_3$ satisfy the following congruences:
994: $$c_0\equiv 1\ (\bmod\, 2),\quad c_1\equiv 1\ (\bmod\, 4),\quad c_2\equiv 0\
995: (\bmod\, 2),\quad c_3\equiv 0\ (\bmod\, 4).$$
996: The polynomial $f$ induces a measure preserving mapping iff
997: $$c_1\equiv 1\ (\bmod\, 2),\quad c_2\equiv 0\ (\bmod\, 2),\quad c_3\equiv 0\ (\bmod\, 2).$$
998: \end{prop}
999: Thus, to provide ergodicity of the polynomial mapping $f$
1000: it is necessary and sufficient to hold fixed $6$ bits only, while the other bits of
1001: coefficients of $f$ may vary (e.g., may be key-dependent). This guarantees transitivity
1002: of the state transition function $z\mapsto f(z)\bmod 2^n$ for each $n$, and hence,
1003: uniform distribution of the output sequence.
1004:
1005: Proposition \ref{ergPol} implies that the polynomial $f(x)\in\mathbb
1006: Z[x]$ is ergodic (resp., measure preserving) iff it is transitive modulo 8
1007: (resp., iff it is bijective modulo 4). A corresponding assertion
1008: holds in general case, for arbitrary prime $p$.
1009: \begin{thm}
1010: \label{ergPolGen}
1011: {\rm (See \cite{Lar}, \cite{me-2})} A polynomial $f(x)\in\mathbb Z_p[x]$
1012: induces an ergodic mapping of $\mathbb Z_p$ onto itself iff it is transitive
1013: modulo $p^2$ for $p\ne 2,3$, or modulo $p^3$, for $p=2,3$. The polynomial
1014: $f(x)\in\mathbb Z_p[x]$ induces a measure preserving mapping of
1015: $\mathbb Z_p$ onto itself iff it is bijective
1016: modulo $p^2$.
1017: \end{thm}
1018:
1019: \begin{exmp}
1020: The mapping $x\mapsto f(x)\equiv x+2x^2\pmod{2^{32}}$ (which is used in
1021: RC6, see \cite{RC6}) is bijective, since it is bijective modulo 4:
1022: $f(0)\equiv 0\pmod4$, $f(1)\equiv 3\pmod4$, $f(2)\equiv 2\pmod4$,
1023: $f(3)\equiv 1\pmod4$. Thus, the mapping
1024: $x\mapsto f(x)\equiv x+2x^2\pmod{2^{n}}$ is bijective for all $n=1,2,\ldots$.
1025: \end{exmp}
1026: Hence, with the use of the theorem \ref{ergPolGen} it is possible to
1027: obtain transitive modulo $q>1$ mappings for arbitrary natural $q$: one can
1028: just take $f(z)=(1+z+\hat qg(z))\bmod q$, where $g(x)\in\mathbb Z[x]$ is
1029: an arbitrary polynomial, and $\hat q$ is a product of $p^{s_p}$ for all
1030: prime factors $p$ of $q$, where $s_2=s_3=3$, and $s_p=2$ for $p\ne 2,3$. Again,
1031: the polynomial $g(x)$ may be choosen, roughly speaking, `more or less at random',
1032: i.e., it may be key-dependent, but the output sequence will be uniformly
1033: distributed for any choice of $g(x)$. This assertion may be generalized
1034: either.
1035: \begin{prop}
1036: \label{ergAn} {\rm (\cite[Lemma 4.4 and Proposition 4.5; resp., Lemma
1037: 4.11 and Proposition 4.12 in the preprint]{me-2})} Let
1038: $p$ be a prime, and let
1039: $g(x)$ be an arbitrary composition of mappings listed in \eqref{eq:opAr}.
1040: Then the mapping $z\mapsto 1+z+p^2g(z)$\ $(z\in\mathbb Z_p)$ is ergodic.
1041: \end{prop}
1042:
1043: In fact, both propositions \ref{ergPol}, \ref{ergAn} and theorem \ref{ergPolGen}
1044: are
1045: particular cases of the following general
1046: \begin{thm}
1047: \label{ergAnGen}
1048: {\rm (\cite[Theorem 4.2, or 4.9 in the preprint]{me-2})}
1049: Let $\mathcal B_p$ be a class of all functions defined by series of
1050: a form $f(x)=\sum^{\infty}_{i=0}c_i\cdot x^{\underline i}$, where
1051: $c_0,c_1,\dots$ are $p$-adic integers, and
1052: %Represent a polynomial $f(x)\in\mathbb Z_2[x]$ in a descending factorial basis
1053: $x^{\underline i}$ $(i=0,1,2,\ldots)$
1054: %$(x)_1=x$, $(x)_2=x(x-1)$, $\ldots$, $(x)_i=x(x-1)\cdots(x-i+1),\ldots$
1055: are descending factorial powers {\rm(see \ref{ergPol})}.
1056: %i.e., let
1057: Then
1058: the function $f\in \mathcal B_p$ preserves measure iff it is bijective
1059: modulo $p^2$; $f$ is ergodic iff it is transitive modulo $p^2$
1060: {\rm(}for $p\ne 2,3${\rm)}, or modulo $p^3$ {\rm(}for $p\in\{2,3\}${\rm)}.
1061:
1062: \end{thm}
1063: \begin{note*} As it was shown in \cite{me-2}, the class $\mathcal B_p$
1064: contains all polynomial functions over $\mathbb Z_p$,
1065: as well as analytic (e.g., rational, entire) functions that are convergent everywhere
1066: on $\mathbb Z_p$. In fact, every mapping that is a composition
1067: of arithmetic operators \eqref{eq:opAr} only belong to $\mathcal B_p$; thus, every
1068: such mapping modulo $p^n$ could be induced by a polynomial with rational
1069: integer coefficients (see the end of Section 4 in \cite{me-2}). For instance,
1070: the mapping $x\mapsto (3x+3^x) \bmod 2^n$ (which is transitive modulo $2^n$,
1071: see \ref{expGen}) could be induced by a polynomial $1+x+4\binom{x}{1}+
1072: \sum_{i=2}^{n-1} 2^i\binom{x}{i}=1+5x+\sum_{i=2}^{n-1} \frac{2^i}{i!} \cdot
1073: x^{\underline i}$ --- just note that $c_i=\frac{2^i}{i!}$ are $2$-adic integers
1074: since the exponent of maximal power of $2$ that is a factor of $i!$
1075: is exactly $i-\wt_2i$,
1076: where $\wt_2 i$ is a number of $1$'s in the base-2 expansion of $i$
1077: (see e.g. \cite[Chapter 1, Section 2, Exercise 12]{Kobl}); thus
1078: $\|c_i\|_2=2^{-\wt_2 i}\le 1$, i.e. $c_i\in \mathbb Z_2$ and so $c_i\bmod
1079: {2^n}\in \mathbb Z$.
1080: \end{note*}
1081:
1082: Theorem \ref{ergAnGen} implies that, for instance, the state transition
1083: function $f(z)=(1+z+\zeta(q)^2(1+\zeta(q)u(z))^{v(z)})\bmod q$ is transitive
1084: modulo $q$ for each natural $q>1$ and arbitrary polynomials $u(x),v(x)\in\mathbb
1085: Z[x]$, where $\zeta(q)$ is a product of all prime factors of $q$. So the
1086: one can choose as a state transition function not only polynomial functions, but
1087: also rational functions, as well as analytic ones. It should be mentioned,
1088: however, that this is merely a form the function is represented (which
1089: could be suitable for some cases and unsuitable for the others), yet, for a
1090: given $q$, all the
1091: functions of this type may also be represented as polynomials over $\mathbb
1092: Z$ (see \cite[Proposition 4.4; resp., Proposition 4.10 in the preprint]{me-2}).
1093: For instance, certain generators
1094: of inversive kind (i.e., those using taking the inverse modulo $2^n$) could
1095: be considered in such manner.
1096: \begin{exmp}
1097: \label{Invers}
1098: For $f(x)=\frac{1}{2x-1}-x$ a generator $x_{i+1}=f(x_i)\bmod{2^n}$ is transitve.
1099: Indeed, the function $f(x)=(-1+2x-4x^2+8x^3-\cdots)-x=-1+x-4x^2+8(\cdots)$
1100: is analytic
1101: and defined everywhere on $\mathbb Z_2$; thus $f\in\mathcal B_p$. Now the
1102: conclusion follows in view of \ref{ergAnGen} since by direct calculations
1103: it coud be easily verified that the function $f(x)\equiv -1+x-4x^2\pmod
1104: 8$ is transitive modulo 8. Note that modulo $2^n$ the mapping $x\mapsto
1105: f(x)\bmod 2^n$ could be induced by a polynomial $-1+x-4x^2+8x^3+\cdots+(-1)^n
1106: x^{n-1}$.
1107: \end{exmp}
1108: \subsection*{Combining operators}
1109: The class of all transitive modulo $q$ mappings, induced by polynomials with
1110: rational integer coefficients, is rather wide: For instance, for $q=2^n$
1111: it contains $2^{O(n^2)}$ mappings (for exact value
1112: see \cite[Proposition 15]{Lar}, or \ref{Num} below). However, it could
1113: be widened significantly (up to the class of order $2^{2^n-n-1}$ in case
1114: $q=2^n$), by admitting also operators \eqref{eq:opLog} in the composition.
1115: It turnes out that there is an easy way to construct a measure preserving or ergodic
1116: mapping out of an arbitrary compatible mapping, i.e., out of an arbitrary
1117: composition of both arithmetic \eqref{eq:opAr} and logical \eqref{eq:opLog}
1118: operators.
1119: %Namely, the following
1120: %proposition holds.
1121: \begin{prop}
1122: \label{Delta} \cite[Lemma 2.1 and Theorem 2.5]{me-2}. Let $\Delta$ be a difference operator, i.e., $\Delta g(x)=g(x+1)-g(x)$
1123: by the definition. Let, further, $p$ be a prime, let $c$ be a coprime with
1124: $p$, $\gcd(c,p)=1$, and let $g\colon\mathbb Z_p\rightarrow
1125: \mathbb Z_p$ be a compatible mapping. Then the mapping $z\mapsto c+z+p\Delta
1126: g(z)\ (z\in\mathbb Z_p)$ is ergodic, and the mapping $z\mapsto d+cx+pg(x)$,
1127: %where $d,c\in\mathbb Z_p$, $g$ is compatible, and $c$ is coprime with $p$,
1128: %defines a
1129: preserves measure for arbitrary $d$.
1130: %mapping $f\colon\mathbb Z_p\rightarrow\mathbb
1131: %Z_p$
1132:
1133: Moreover, if $p=2$, then the converse also holds: Each compatible and ergodic
1134: \textup {(}respectively each compatible
1135: and measure preserving \textup {)}
1136: mapping $z\mapsto f(z)\ (z\in\mathbb Z_2)$ could be represented as
1137: $f(x)=1+x+2\Delta g(x)$ \textup {(}respectively as
1138: $f(x)=d+x+2g(x)$\textup {)} for suitable $d\in\mathbb Z_2$ and compatible
1139: $g\colon\mathbb
1140: Z_2\rightarrow \mathbb Z_2$.
1141: \end{prop}
1142: % \begin{proof}
1143: % The first assertion of the proposition is just Lemma
1144: % 2.1 of \cite{me-2}.
1145: % To prove the second assertion
1146: % recall that
1147: % each compatible mapping $g\colon\mathbb
1148: % Z_p\rightarrow\mathbb Z_p$
1149: % could be represented as
1150: % $$g(x)=c_0+\sum_{i=1}^{\infty}c_ip^{\lfloor\log_pi\rfloor}\binom{x}{i} \quad (x\in\mathbb
1151: % Z_p)$$
1152: % for suitable $c_0, c_1,\ldots,\in\mathbb Z_p$ (see e.g. 4.3 of \cite{me-1}).
1153: % Now, as $\Delta\binom{x}{i}=\binom{x}{i-1}$ for $i=1,2,\ldots$, we finish
1154: % the proof in view of \ref{ergBin}.
1155: % \end{proof}
1156: \begin{note*} The case $p=2$ is the only case the converse of the first
1157: assertion of the proposition \ref{Delta} holds.
1158: % Moreover, from \ref{ergBin}
1159: % it follows immediately that a mapping
1160: % $f\colon\mathbb Z_2\rightarrow\mathbb Z_2$ is compatible and measure preserving
1161: % iff it could be represented as $f(x)=d+x+2g(x)$, where $d\in\mathbb Z_2$
1162: % and $g$ is compatible. A formula $f(x)=d+c\cdot
1163: % x+pg(x)$, where $d,c\in\mathbb Z_p$, $g$ is compatible, and $c$ is coprime with $p$,
1164: % defines a measure preserving mapping $f\colon\mathbb Z_p\rightarrow\mathbb
1165: % Z_p$ for arbitrary prime $p$ (see a note after \ref{ergBin}), yet only
1166: % for $p=2$ this
1167: % formula describes {\it all} compatible measure preserving mappings.
1168: \end{note*}
1169: \begin{exmp}
1170: \label{KlSh-2}
1171: Proposition \ref{Delta} immediately implies
1172: Theorem 2 of \cite{KlSh}: For any composition $f$ of primitive functions,
1173: the mapping $x\mapsto x +2f(x )\pmod {2^n}$ is invertible --- just note
1174: that
1175: % The assertion
1176: % follows immediately from \ref{Delta} since each
1177: a composition of primitive
1178: functions is compatible (see \cite{KlSh} for the definition of primitive
1179: functions).\qed
1180: \end{exmp}
1181: Proposition \ref{Delta} is maybe the most important tool in design of pseudorandom
1182: generators such that both their state transition functions and output functions are
1183: key-dependent.
1184: The corresponding schemes are rather flexible: In fact, one may use nearly
1185: arbitrary composition of arithmetic and logical operators to produce a
1186: strictly uniformly distributed sequence:
1187: % We emphasize, in the example just mentioned the transitivity modulo $m=2^k$
1188: % {\it does not depend} neither on $k$ nor on actual form of the composition
1189: % $g$ ---
1190: Both for
1191: $g(x)=x\XOR(2x+1)$ and for
1192: $$g(x)=\Biggl(1+2\frac{x\AND x^{2}+x^3\OR x^4}{3 + 4(5+6x^5)^{x^6\XOR x^7}}\Biggr)^{7+\frac{8x^8}{9+10x^9}}$$
1193: a sequence $\{x_i\}$ defined by recurrence relation
1194: $x_{i+1}=(1+x_i+2(g(x_i+1)-g(x_i)))\bmod {2^n}$ is strictly uniformly distributed
1195: in $\mathbb Z/2^n$ for each $n=1,2,3\ldots$, i.e., the sequence $\{x_i\}$
1196: %Actually, this sequence
1197: is
1198: purely periodic with {\slshape period length exactly} $2^n$, and {\slshape each} element
1199: of
1200: $\{0,1,\ldots,2^n-1\}$ occurs at the period {\slshape exactly once}. We will
1201: demonstrate further that a designer could vary the function $g$ in a very
1202: wide scope without worsening prescribed values of
1203: some important indicators of security. In fact, choosing the proper operators
1204: \eqref{eq:opBinLog} and \eqref{eq:opAr} the designer is restricted
1205: only by desirable performance, since any compatible ergodic mapping could
1206: be produced in this way:
1207: \begin{cor}
1208: \label{erg-comp}
1209: %Under assumptions of the proposition \ref{Delta},
1210: Let $p=2$,
1211: and let $f$
1212: be a compatible
1213: and ergodic mapping of $\mathbb Z_2$ onto itself. Then for each $n=1,2,\ldots$
1214: the state transition function $f\bmod 2^n$ could be represented as a finite
1215: composition of operators \eqref{eq:opBinLog} and \eqref{eq:opAr}.
1216: \end{cor}
1217: \begin{proof}
1218: In view of proposition \ref{Delta} it is sufficient to prove that for
1219: arbitrary compatible $g$ the function $\bar g=g\bmod 2^n$ could be represented
1220: as a finite composition of operators \eqref{eq:opBinLog} and \eqref{eq:opAr}.
1221: In view of \ref{Bool}, one could
1222: represent $\bar g$ as
1223: $$\bar g(x)=\gamma_0(\chi_0)+2\gamma_1(\chi_0,\chi_1)+\cdots
1224: +2^{n-1}\gamma_{n-1}(\chi_0,\ldots,\chi_{n-1}),$$
1225: where $\gamma_i=\delta_i(\bar g)$, $\chi_i=\delta_i(x)$, $i=0,1,\ldots,n-1$.
1226: Since each $\gamma_i(\chi_0,\ldots,\chi_i)$ is a Boolean function in Boolean
1227: variables $\chi_0,\ldots,\chi_i$, it
1228: %could be expressed as a Boolean polynomial.
1229: %i.e., as a square-free polynomial over $\mathbb Z/2$ in variables $\chi_0,\ldots,\chi_i$.
1230: %Thus, each
1231: %$\gamma_i(\chi_0,\ldots,\chi_i)$
1232: could be expressed via finite number of $\XOR$s and $\AND$s of these variables
1233: $\chi_0,\ldots,\chi_i$. Yet each variable $\chi_j$ could be expressed as
1234: $\chi_j=\delta_j(x)=x\AND(2^j)$, and the conclusion follows.
1235: \end{proof}
1236: \subsection*{Using Boolean representation}
1237: So, in case $p=2$ we have two equivalent descriptions of the class of all
1238: compatible ergodic mappings, namely, theorem \ref{ergBin} and proposition
1239: \ref{Delta}. They enable one to express {\slshape any} compatible and transitive
1240: modulo $2^n$ state transition function either as a polynomial of special kind
1241: over a field
1242: $\mathbb Q$ of rational numbers, or as a special composition of arithmetic
1243: and bitwise logical operations, \eqref{eq:opAr} and \eqref{eq:opBinLog}.
1244: Both these representations are suitable for programming, since they involve
1245: only standard machine instructions. However, we
1246: need one more representation, in a Boolean form (see \ref{Bool}). Despite this
1247: representation is not very convenient for programming,
1248: it will be used further for better understanding of certain important properties
1249: of the considered generators, as well for proving the ergodicity of some
1250: particular
1251: mappings, see e.g. \ref{KlSh-3} below.
1252: %\begin{note*}
1253: The following theorem is just a restatement of a known result from the theory
1254: of Boolean functions, the so-called bijectivity/transitivity criterion for triangle
1255: Boolean mappings.
1256: However, the latter belongs to mathematical folklore, and thus it is somewhat
1257: difficult to
1258: attribute it, yet a reader could find a proof in, e.g.,
1259: \cite[Lemma 4.8]{me-1}.
1260: %\end{note*}
1261: \begin{thm}
1262: \label{ergBool}
1263: A mapping $T\colon\mathbb Z_2\rightarrow\mathbb Z_2$ is
1264: compatible and measure preserving iff for each $i=0,1,\ldots$ the Boolean function
1265: $\tau^T_i=\delta_i(T)$
1266: in Boolean variables $\chi_0,\ldots,\chi_{i}$ could be represented as Boolean
1267: polynomial of the form
1268: $$\tau^T_i(\chi_0,\ldots,\chi_i)=\chi_i+\varphi^T_i(\chi_0,\ldots,\chi_{i-1}),$$
1269: where $\varphi^T_i$
1270: is a Boolean polynomial. The mapping $T$ is compatible and ergodic iff,
1271: additionaly, the Boolean function
1272: $\varphi^T_i$ is of odd weight, that is,
1273: takes value $1$ exactly at the odd number of points
1274: $(\varepsilon_0,\dots,\varepsilon_{i-1})$, where
1275: $\varepsilon_j\in\{0,1\}$ for $j=0,1,\ldots,i-1$. The latter takes place if and only
1276: if $\varphi^T_0=1$, and the degree of the Boolean polynomial $\varphi^T_i$ for
1277: $i\ge 1$ is exactly
1278: $i$, that is, $\varphi^T_i$ contains a monomial
1279: $\chi_0\cdots\chi_{i-1}$.
1280: \end{thm}
1281:
1282: % Also, it worth noticing here that mappings $T$
1283: % such that
1284: % $\tau^T_i(\chi_0,\ldots,\chi_i)=\chi_i+\varphi^T_i(\chi_0,\ldots,\chi_{i-1})$
1285: % for all
1286: % $i=0,1,2\ldots$ are known in dynamical systems theory as skew shifts on (infinite
1287: % dimensional) torus $\mathbb Z/2\times \mathbb Z/2\times\cdots$.
1288:
1289: \begin{exmp}
1290: \label{KlSh-3}
1291: With the use of \ref{ergBool} it is possible to give another proof of the
1292: main result of \cite{KlSh}, namely, of Theorem 3:
1293: {\it The mapping $f (x)=x +(x^2\vee C )$ over $n$-bit words is invertible
1294: if and only if the least significant bit of $C$ is 1. For $n\ge 3$ it is a permutation
1295: with a single cycle if and only if both the least significant bit and the third least
1296: significant bit of $C$ are $1$.}
1297:
1298: {\it Proof of theorem 3 of \cite{KlSh}.}
1299: % Note that $f$ is compatible, so bijectivity (resp.,
1300: % transitivity) of $f$ modulo $2^n$ implies bijectivity (resp.,
1301: % transitivity) of $f$ modulo $2^{n-1}$.
1302: Recall that for $x\in\mathbb Z_2$ and $i=0,1,2,\ldots$
1303: %consider it base-$2$ expansion
1304: %$x=x_0+x_1\cdot 2+x_2\cdot 4+x_i\cdot 2^i+\ldots$, i.e.,
1305: we denote $\chi_i=\delta_i(x)\in\{0,1\}$; also we denote $c_i=\delta_i(C)$.
1306: We will calculate $\delta_i(x+(x^2\vee C))$ as a Boolean
1307: polynomial in $\chi_0,\chi_1,\ldots$ and start with the following easy claims:
1308: \begin{itemize}
1309: \item $\delta_0(x^2)=\chi_0$,\ $\delta_1(x^2)=0$,\ $\delta_2(x^2)=\chi_0\chi_1+\chi_1$,
1310: \item $\delta_n(x^2)=\chi_{n-1}\chi_0+\psi_{n}(\chi_0,\ldots,\chi_{n-2})$ for all
1311: $n\ge 3$, where $\psi_{n}$ is a Boolean function in $n-1$
1312: Boolean
1313: variables $\chi_0,\ldots,\chi_{n-2}$.
1314: \end{itemize}
1315:
1316: The first of these claims could be easily verified by direct calculations. To prove
1317: the second one represent $x=\bar x_{n-1}+2^{n-1}s_{n-1}$ for $\bar x_{n-1}=x\bmod
1318: 2^{n-1}$ and
1319: %a reduction
1320: %of $x$ modulo $2^{n-1}$.
1321: %(i.e., the base-2 expansion of $\bar x_{n-1}$ is the
1322: %first $n-1$ less significant bits of $x$).
1323: calculate $x^2=(\bar x_{n-1}+2^{n-1}s_{n-1})^2=
1324: \bar x_{n-1}^2+2^{n}s_{n-1}\bar x_{n-1}+2^{2n-2}s_{n-1}^2=\bar x_{n-1}^2+2^n\chi_{n-1}\chi_0
1325: \pmod{2^{n+1}}$ for $n\ge 3$ and note that $\bar x_{n-1}^2$ depends only on
1326: $\chi_0,\ldots,\chi_{n-2}$.
1327:
1328: This gives
1329: \begin{enumerate}
1330: \item $\delta_0(x^2\vee C)=\chi_0+c_0+\chi_0c_0$
1331: \item $\delta_1(x^2\vee C)=c_1$
1332: \item $\delta_2(x^2\vee C)=\chi_0\chi_1+\chi_1+c_2+c_2\chi_1+c_2\chi_0\chi_1$
1333: \item $\delta_n(x^2\vee C)=\chi_{n-1}\chi_0+\psi_{n}+c_n+c_n\chi_{n-1}\chi_0+c_n\psi_{n}$
1334: for $n\ge 3$
1335: \end{enumerate}
1336: From here it follows
1337: that if $n\ge 3$, then $\delta_n(x^2\vee C)=
1338: \lambda_n(\chi_0,\ldots,\chi_{n-1})$,
1339: %where
1340: %$\lambda_n=\lambda_n(\chi_0,\ldots,\chi_{n-1})$ is a Boolean polynomial in Boolean
1341: %variables $\chi_0,\ldots,\chi_{n-1}$,
1342: and $\deg \lambda_n\le
1343: n-1$, since $\psi_{n}$ depends only on, may be, $\chi_0,\ldots,\chi_{n-2}$.
1344:
1345: Now successively calculate $\gamma_n=\delta_n(x+(x^2\vee C))$ for $n=0,1,2,\ldots$.
1346: We have $\delta_0(x+(x^2\vee C))=c_0+\chi_0c_0$ so necessarily $c_0=1$
1347: since otherwise $f$ is not bijective modulo 2. Proceeding further with
1348: $c_0=1$ we obtain $\delta_1(x+(x^2\vee C))=c_1+\chi_0+\chi_1$, since
1349: $\chi_1$ is a carry. Then $\delta_2(x+(x^2\vee C))=(c_1\chi_0+c_1\chi_1+\chi_0\chi_1)+
1350: (\chi_0\chi_1+\chi_1+c_2+c_2\chi_1+c_2\chi_0\chi_1)+\chi_2=
1351: c_1\chi_0+c_1\chi_1+\chi_1+c_2+c_2\chi_1+c_2\chi_0\chi_1+\chi_2$,
1352: here $c_1\chi_0+c_1\chi_1+\chi_0\chi_1$ is a carry. From here in view of \ref{ergBool}
1353: we immediately have $c_2=1$ since otherwise $f$ is not transitive
1354: modulo 8.
1355: %(but bijectivity modulo 8 impose no restrictions on $c_2$ since conditions
1356: %of the above mentioned criterion $\vartriangle$ are satisfied).
1357: %Now denoting
1358: %$\delta_n(x+(x^2\vee C))=\gamma_n$
1359: Now for $n\ge 3$
1360: one has $\gamma_n=\alpha_{n}+\lambda_n
1361: +\chi_n$, where $\alpha_n$ is a carry, and $\alpha_{n+1}=\alpha_n\lambda_n
1362: +\alpha_n\chi_n+\lambda_n\chi_n$. But if $c_2=1$ then $\deg\alpha_3=\deg
1363: (\mu\nu+\chi_2\mu+\chi_2\nu)=3$, where $\mu=c_1\chi_0+c_1\chi_1+\chi_0\chi_1$,
1364: $\nu=(\chi_0\chi_1+\chi_1+c_2+c_2\chi_1+c_2\chi_0\chi_1)=
1365: 0$. This implies inductively in view of (4) above that
1366: $\deg\alpha_{n+1}=n+1$ and that $\gamma_{n+1}=\chi_{n+1}+\xi_{n+1}(\chi_0,\ldots,\chi_{n})$,
1367: $\deg\xi_{n+1}=n+1$. So the conditions of \ref{ergBool} are satisfied, thus
1368: finishing the proof of theorem 3 of \cite{KlSh}.\qed
1369: \end{exmp}
1370:
1371: There are some more appications of Theorem \ref{ergBool}.
1372: \begin{prop}
1373: \label{compBool}
1374: Let
1375: $F\colon\mathbb Z_2^{n+1}\rightarrow\mathbb Z_2$ be a compatible mapping
1376: such that for all $z_1,\ldots,z_n\in\mathbb
1377: Z_2$ the mapping $F(x,z_1,\ldots,z_n)\colon\mathbb Z_2\rightarrow \mathbb
1378: Z_2$ is measure preserving. Then $F(f(x),2g_1(x),\ldots,2g_n(x))$ preserves
1379: measure for all compatible $g_1,\ldots,g_n\colon\mathbb Z_2\rightarrow \mathbb
1380: Z_2$ and all compatible and measure
1381: preserving $f\colon\mathbb Z_2\rightarrow \mathbb
1382: Z_2$. Moreover, if
1383: %$f,g$ are compatible
1384: $f$ is ergodic then $f(x+4g(x))$, $f(x\oplus (4g(x)))$, $f(x)+4g(x)$, and
1385: $f(x)\oplus (4g(x))$ are ergodic for any compatible $g\colon\mathbb Z_2\rightarrow \mathbb
1386: Z_2$
1387: \end{prop}
1388: \begin{proof} Since the function $F$ is compatible, $\delta_i(F(u_0,u_1,\ldots,u_n)$
1389: does not depend on $\delta_j(u_k)=\chi_{j,k}$ for $j>i$ (see \ref{Bool}
1390: and note thereafter). Represent
1391: $$\delta_i(F(u_0,u_1,\ldots,u_n))=\chi_{0,i}\Psi_i(u_0,u_1,\ldots,u_n)+
1392: \Phi_i(u_0,u_1,\ldots,u_n),$$
1393: where Boolean polynomials
1394: $\Psi_i(u_0,u_1,\ldots,u_n)$, $\Phi_i(u_0,u_1,\ldots,u_n)$ do not depend on
1395: $\chi_{0,i}$;
1396: that is, they depend only on, may be,
1397: $$\chi_{0,0},\ldots,\chi_{0,i-1},
1398: \chi_{1,0},\ldots,\chi_{1,i},\ldots,\chi_{n,0},\ldots,\chi_{n,i}.$$
1399: In view of \ref{ergBool} it follows that $\Psi_i=1$ since $F(x,z_1,\ldots,z_n)$
1400: preserves measure for all $z_1,\ldots,z_n\in\mathbb Z_2$. Moreover, then
1401: $\Phi_i(f(x),2g_1(x),\ldots,2g_n(x))$ does not depend on $\chi_i=\delta_i(x)$
1402: since $\delta_j(2g(x))$ does not depend on $\chi_i$ for all $j=1,2,\ldots,n$.
1403: Now, in view of \ref{ergBool} one has
1404: $\delta_i(f(x))=\chi_i+\xi_i(f(x))$, where $\xi_i(f(x))$ does not depend
1405: on $\chi_i$ since $f$ preserves measure.
1406: Finally,
1407: $$\displaylines{\delta_i(F(f(x),2g_1(x),\ldots,2g_n(x)))=\delta_i(f(x))+
1408: \Phi_i(f(x),2g_1(x),\ldots,2g_n(x))=\hfill\cr
1409: \hfill\chi_i + \xi_i(f(x))+
1410: \Phi_i(f(x),2g_1(x),\ldots,2g_n(x))=\chi_i+\Xi_i,\cr}$$
1411: where
1412: the Boolean polynomial
1413: $\Xi_i$ depends only on, may be, $\chi_0,\ldots,\chi_{i-1}$.
1414: This proves the
1415: first assertion of \ref{compBool} in view of \ref{ergBool}.
1416:
1417: We prove the second assertion along the similar lines. For $z\in\mathbb Z_2$
1418: and $i=0,1,2,\ldots$
1419: let $\zeta_i=\delta_i(z)$. Thus one can consider $\delta_i(z\oplus 4g(z))$ and
1420: $\delta_i(z+ 4g(z))$ as
1421: Boolean
1422: polynomials in Boolean variables $\zeta_0,\zeta_1,\ldots,\zeta_i$. Note that
1423: $\delta_i(z\oplus 4g(z))=\zeta_i+\lambda_i(z)$, where $\lambda_i(z)=0$
1424: for $i=0,1$ and $\deg\lambda_i(z)\le i-1$ for $i>1$, since for $i>1$ the Boolean
1425: polynomial $\lambda_i(z)$ depends, may be, only on $\zeta_0,\ldots,
1426: \zeta_{i-2}$.
1427:
1428: Next, we claim that
1429: $\delta_i(z+ 4g(z))=\delta_i(z)+\mu_i(z)$, where
1430: %the Boolean polynomial
1431: $\mu_i(z)=\mu_i^g(z)$ is 0 for $i=0,1$ and $\deg\mu_i(z)\le i-1$ for $i>1$.
1432: %satisfies exactly the same condition the polynomial $\lambda_i(z)$
1433: %does.
1434: Indeed, $\mu_i(z)=\lambda_i(z)+\alpha_i(z)$, where the Boolean polynomial
1435: $\alpha_i(z)$ is a carry. Yet $\alpha_i(z)=0$ for $i=0,1,2$,
1436: %$\alpha_3(z)=\delta_2(z)\delta_0(g(z)$,
1437: and
1438: $\alpha_i(z)=\zeta_{i-1}\lambda_{i-1}(z)+\zeta_{i-1}\alpha_{i-1}(z)+
1439: \lambda_{i-1}(z)\alpha_{i-1}(z)$ for $i\ge 3$, and $\alpha_i(z)$ depends
1440: only on, may be, $\zeta_0,\ldots,\zeta_{i-1}$ since $\alpha_i(z)$
1441: is a carry. However, $\deg\alpha_3(z)=2$ and if $\deg\alpha_{i-1}(z)\le
1442: i-2$ then $\deg\delta_{i-1}(z)\alpha_{i-1}(z)\le i-1$,
1443: $\deg\lambda_{i-1}(z)\alpha_{i-1}(z)\le i-1$, and
1444: $\deg\zeta_{i-1}\lambda_{i-1}(z)\le i-1$ since $\alpha_{i-1}(z)$ depends
1445: only on, may be, $\zeta_0,\ldots,\zeta_{i-2}$ and
1446: $\lambda_{i-1}(z)$ depends, may be, only on $\zeta_0,\ldots,
1447: \zeta_{i-3}$. Thus $\deg\alpha_i(z)\le i-1$ and hence $\deg\mu_i(z)\le
1448: i-1$.
1449:
1450: Now, since $f(x)$ is
1451: egodic, $\delta_{i}(f(x))=\chi_i+\xi_i(x)$, where the Boolean polynomial
1452: $\xi_i$ depends only on, may be, $\chi_0,\ldots,\chi_{i-1}$ and,
1453: additionally, $\xi_0=1$, and $\deg\xi_i=i$ for $i>0$ (see \ref{ergBool});
1454: i.e. $\xi_i(x)=\chi_0\chi_1\cdots\chi_{i-1}+\vartheta_i(x)$,
1455: where $\deg\vartheta_i(x)\le i-1$ for $i>0$.
1456: Hence, for $\ast\in\{+,\oplus\}$ one has
1457: $\delta_{i}(f(x\ast 4g(x)))=\delta_i(x\ast 4g(x))+
1458: \delta_0(x\ast 4g(x))\delta_1(x\ast 4g(x))\cdots\delta_{i-1}(x\ast 4g(x))+
1459: \vartheta_i(x\ast 4g(x))$; thus $\delta_{i}(f(x\ast 4g(x)))=\chi_i+
1460: \chi_0\cdots\chi_{i-1}+ \beta_i^\ast(x)$, where $\deg\beta_i^\ast(x)\le
1461: i-1$ for $i>0$, and $\delta_0(f(x\ast 4g(x))=\delta_0(x\ast 4g(x))+1=\chi_0+1$.
1462: Finally, $f(x\ast 4g(x))$ for $\ast\in\{+,\oplus\}$ is ergodic in view of
1463: \ref{ergBool}.
1464:
1465: In a similar manner it could be demonstrated that $f(x)\ast 4g(x)$ is ergodic
1466: for $\ast\in\{+,\oplus\}$: $\delta_i(f(x)\ast 4g(x))=\delta_i(f(x))$
1467: for $i=0,1$ and thus satisfy the conditions of \ref{ergBool}. For $i>1$
1468: on has $\delta_i(f(x)\oplus 4g(x))=\chi_i+\xi_i(x)+\delta_{i-2}(g(x))$;
1469: but $\delta_{i-2}(g(x))$ does not depend on $\chi_{i-1},\chi_{i}$.
1470: Thus the Boolean polynomial $\xi_i(x)+\delta_{i-2}(g(x))$ in variables
1471: $\chi_0,\ldots,\chi_{i-1}$ is of odd weight, since $\xi_i(x)$
1472: is of odd weight, thus proving that $f(x)\oplus 4g(x)$ is ergodic.
1473:
1474: Now represent $g(x)=g(f^{-1}(f(x)))=h(f(x))$, where $f^{-1}(x)$ is the
1475: inverse mapping for $f$. Clearly, $f^{-1}(x)$ is well defined since
1476: the mapping $f\colon\mathbb Z_2\rightarrow\mathbb Z_2$ is bijective;
1477: moreover $f^{-1}(x)$
1478: is compatible and ergodic. Finally
1479: $\delta_i(f(x)+ 4g(x))=\delta_i(f(x))+\mu_i^\prime(f(x))$,
1480: where the Boolean polynomial
1481: $\mu_i^\prime(x)=\mu_i^{h}(x)$ in Boolean variables
1482: $\chi_0,\ldots,\chi_{i-1}$ does not contain a monomial
1483: $\chi_0\cdots\chi_{i-1}$ (see the claim above). This implies that the Boolean polynomial
1484: $\mu_i^\prime(f(x))$ in Boolean variables $\chi_0,\ldots,\chi_{i-1}$
1485: does not contain a monomial $\chi_0\cdots\chi_{i-1}$ either,
1486: since $\delta_j(f(x))=\chi_j+\xi_j(x)$ and $\xi_j(x)$ depend only,
1487: may be, on $\chi_0,\ldots,\chi_{j-1}$ for $j=2,3,\ldots$. Hence,
1488: $\delta_i(f(x)+ 4g(x))=\chi_i+\xi_i(x)+\mu_i^\prime(f(x))$ and the
1489: Boolean polynomial $\xi_i(x)+\mu_i^\prime(f(x))$ in Boolean variables
1490: $\chi_0,\ldots,\chi_{i-1}$ is of odd weight. This finishes the
1491: proof in view of \ref{ergBool}.
1492: \end{proof}
1493: \begin{exmp}
1494: \label{XOR}
1495: With the use of \ref{compBool} it is possible to construct very fast generators
1496: $x_{i+1}=f(x_i)\bmod 2^n$ that are transitive modulo $2^n$.
1497: For instance, take
1498: %let the state transition function
1499: %of the generator be
1500: $$f(x)=(\ldots((((x+c_0)\oplus d_0)+c_1)\oplus d_1)+\cdots +c_m)\oplus
1501: d_m,$$
1502: where $c_0\equiv 1\pmod 2$, and the rest of $c_i,d_i$ are 0 modulo 4.
1503: By the way, this generator, looking somewhat `linear', is as a rule rather
1504: `nonlinear': the corresponding polynomial over $\mathbb Q$ is of high degree.
1505: The general case of these functions $f$ (for arbitrary $c_i, d_i$)
1506: was studied by the author's student Ludmila Kotomina: She proved that such
1507: a function
1508: is ergodic iff it is transitive modulo 4.
1509: \end{exmp}
1510: \subsection*{Counting the number of transitive mappings}
1511: The preceeding results enable us to calculate the number of
1512: all compatible transitive modulo $2^n$ mappings
1513: of $\mathbb Z/2^n$ onto itself and
1514: the number of them
1515: that are induced by {\it polynomial mappings over} $\mathbb Z$, i.e.,
1516: that could be expressed as polynomials
1517: with rational integer coefficients.
1518: \begin{prop}
1519: \label{Num}
1520: There are exactly $2^{2^n-n-1}$ compatible and transitive modulo
1521: $2^n$ mappings $T\colon\mathbb Z/2^n\rightarrow\mathbb Z/2^n$. For $n\le
1522: 3$ all of them could be represented as polynomials over $\mathbb Z$; if
1523: $n>3$, then exactly $2^{\sum_{i=0}^{\rho(n)}(n-i+\wt_2i)-6}$
1524: %$2^{2+\frac{1}{2}n(n-1)+\sum_{i=1}^n\wt_2i}$
1525: of them could be represented
1526: as polynomials over $\mathbb Z$ {\rm (see \ref{ergPol}).} Moreover,
1527: $\sum_{i=0}^{\rho(n)}(n-i+\wt_2i)-6\sim \frac{1}{2}n^2$ as $n\to\infty$.
1528: {\rm Here $\wt_2i$ is the binary weight of non-negative rational integer $i$
1529: {\rm (}i.e., the number of $1$'s in base-$2$ expansion of $i${\rm )},
1530: and $\rho(n)$ is the biggest natural number $k$ such that $k-\wt_2k<n$.}
1531: % Obviously,
1532: % $\sum_{i=1}^n\wt_2i=O(n\log_2n$).
1533: \end{prop}
1534: \begin{proof}
1535: The first assertion is an easy consequence of \ref{ergBool}: obviously,
1536: the number
1537: of Boolean functions of odd weight in $i$ variables is exactly $2^{2^i-1}$,
1538: and the result follows.
1539:
1540: To prove the second assertion we first note that each integer-valued polynomial
1541: $f(x)\in\mathbb Q_p[x]$
1542: over a field $\mathbb Q_p$ of $p$-adic numbers (that is, a polynomial, which takes
1543: values in $\mathbb Z_p$ at each point of $\mathbb Z_p$) admits a unique
1544: representation
1545: \begin{equation}
1546: \label{eq:Bin}
1547: f(x)=\sum_{i=0}^{\infty}a_i\binom{x}{i}
1548: \end{equation}
1549: for suitable $a_0,a_1,a_2,\dots\in\mathbb Z_p$, with only finite number
1550: of non-zero $a_0,a_1,a_2,\dots$ (see e.g. \cite{Mah}). Further, the polynomial
1551: \eqref{eq:Bin} is identically zero modulo $2^n$ iff $a_i\equiv 0\pmod{2^n}$
1552: for all $i=0,1,2,\dots$ (see proposition 4.2 of \cite{me-1}). Lastly, the
1553: polynomial \eqref{eq:Bin} is a polynomial over $\mathbb Z_2$ iff it could
1554: be represented in the form of \ref{ergPol}, i.e., iff
1555: $a_i\equiv 0\pmod{2^{\ord_2i!}}$ for all $i=0,1,2,\dots$. Here and after
1556: $\ord_p
1557: q$ stands for the greatest power of a prime $p$, which is a factor of $q\in\mathbb
1558: N$: $p^{\ord_p q}\mid q$, but $p^{1+\ord_p }\nmid q$; it is well known
1559: that $\ord_p i!=\frac{1}{p-1}(i-\wt_pi)$, see e.g. \cite{Kobl}, Chapter
1560: 1, Section 2, Exercise 13.
1561:
1562: Thus, each mapping of $\mathbb Z/2^n$ onto $\mathbb Z/2^n$ that is
1563: induced by polynomial over $\mathbb Z$
1564: admits a unique representation by polynomial \eqref{eq:Bin} of degree not greater
1565: than $\rho(n)$, and with $a_0,a_1,a_2,\dots\in\mathbb Z/2^n$ such that $a_i\equiv
1566: 0\pmod{2^{i-\wt_2i}}$ for $i=2,3,\dots$. In view of \ref{ergBin}, the latter polynomial
1567: is transitive modulo $2^n$ iff $a_0\equiv 1\pmod{2}$, $a_1\equiv 1\pmod
1568: 4$, and $a_i\equiv 0\pmod{2^{\lfloor\log_2(i+1)\rfloor+1}}$ for $i=2,3,\dots$.
1569: Since $i-\wt_2i<\lfloor\log_2(i+1)\rfloor+1$ iff $i=0,1,2,3$, the
1570: number of all transitive modulo $2^n$ mappings of $\mathbb Z/2^n$
1571: into $\mathbb Z/2^n$ that are induced by polynomials over $\mathbb Z$ is exactly
1572: $2^{\eta(n)}$, where $\eta(n)=4n-8+\sum_{i=4}^{\rho(n)}(n-i+\wt_2i)=
1573: -6+\sum_{i=0}^{\rho(n)}(n-i+\wt_2i)$ for $n>3$, and $\eta(1)=1$, $\eta(2)=2$,
1574: $\eta(3)=16$.
1575:
1576: Now, to finish the proof of proposition \ref{Num} we only have to
1577: demonstrate that $\lim_{n\to\infty}\frac{2\eta(n)}{n^2}=1$. We start with
1578: estimating $\rho(n)$.
1579:
1580: Represent $n$ as $n=2^k+t$ where $0\le t<2^k$. Verify that $\rho(2^{k+1}-1)=2^{k+1}-1$
1581: by direct calculations. So, $\rho(n)=n$, if $n=2^{k+1}-1$ (i.e., if $t=2^k-1$),
1582: and $\rho(n)=2^k+s$ for certain $s\ge 0$, in the opposite case (i.e., if $t<2^k-1$).
1583: We claim that $s<2^k$. Indeed, the function $k-\wt_2k$, and hence, the function
1584: $\rho(n)$ are nondecreasing; thus, $s\le2^k$. However, assuming $s=2^k$
1585: we get a contradiction: On the one hand,
1586: $2^k+t=n>\rho(n)-\wt_2\rho(n)=2^k+2^k-\wt_2(2^k+2^k)=2^{k+1}-1$,
1587: but $t<2^k-1$ on the other. Thus for $t<2^k-1$, i.e., for $n\ne
1588: 2^{k+1}-1$, we have that $\rho(n)=2^k+s$ for some $t\le s\le 2^k-1$ since
1589: obviously $\rho(n)\ge n$. Hence
1590: $n=2^k+t>\rho(n)-\wt_2(\rho(n))=2^k+s-1-\wt_2s$; consequently
1591: $s=\max\{r\in\mathbb N : s-\wt_2s<t+1\}=\rho(t+1)$
1592: by definition of the function $\rho$. Thus we proved the formula
1593: \begin{equation*}
1594: \rho(n)=\rho(2^k+t)=
1595: \begin{cases}
1596: 2^k+t, &\text{if $t=2^k-1$, i.e., if $n=2^{k+1}-1$};\cr
1597: 2^k+\rho(t+1), &\text{if $t<2^k-1$, i.e., if $n\ne 2^{k+1}-1$}.
1598: \end{cases}
1599: \end{equation*}
1600: This implies an obvious recursive procedure for calculating $\rho(n)$, which
1601: halts not later than in $k$ steps; mind that $k+1$ is the number of digits
1602: in base-$2$ expansion of $n$. We conclude finally
1603: that $n\le\rho(n)\le n+\lfloor\log_2n\rfloor$ since
1604: the number of digits in base-$2$ expansion of $n$ is exactly
1605: $\lfloor\log_2n\rfloor+1$ and $2^{r}-1=\underbrace{11\ldots1}_{r}$.
1606:
1607: Now we succesively calculate
1608: $\eta(n)=\sum_{i=0}^n(i+\wt_2i)+\sum_{j=n+1}^{\rho(n)}(n-j+\wt_2j)-6=
1609: \frac{n(n+1)}{2}+\sum_{i=1}^n\wt_2i-\frac{(\rho(n)-n)(\rho(n)-n+1)}{2}+
1610: \sum_{j=1}^{\rho(n)-n}\wt_2(n+j)-6$. Finally, taking into the account that
1611: \begin{multline*}
1612: \sum_{i=1}^n\wt_2i\le
1613: \sum_{i=1}^{2^{\lfloor\log_2n\rfloor+1}-1}\wt_2i=\sum_{i=1}^{\lfloor\log_2n\rfloor+1}
1614: i\binom{\lfloor\log_2n\rfloor+1}{i}\\
1615: =(\lfloor\log_2n\rfloor+1)2^{\lfloor\log_2n\rfloor}
1616: \le(1+\log_2n)n
1617: \end{multline*}
1618: and also that $\rho(n)-n\le\log_2n$, $\wt_2(a+b)\le \wt_2a+\wt_2b$,
1619: $\wt_2a\le 1+\log_2a$,
1620: we conclude that
1621: $\lim_{n\to\infty}\frac{2\eta(n)}{n^2}=1$.
1622: \end{proof}
1623: \begin{note}
1624: \label{Num-1}
1625: During the proof of proposition \ref{Num} we have demonstrated
1626: that each mapping of $\mathbb Z/2^n$ onto $\mathbb Z/2^n$
1627: induced by a polynomial over $\mathbb Z$
1628: could be represented by a polynomial of degree not greater
1629: than $\rho(n)\le n+\log_2n$, and this estimate is sharp. Moreover,
1630: from the final part of the proof it could be deduced that the number of
1631: transitive
1632: mappings of $\mathbb Z/2^n$ onto itself that are induced by polynomials
1633: over $\mathbb Z$ is $O(2^{\frac{1}{2}n(n+1)+n(1+\log_2n)+
1634: \frac{1}{2}(1+\log_2n)\log_2n+(1+\log_2\log_2n)\log_2n})$. The case
1635: $n=2^k$ is of special interest since usually the word length of contemporary
1636: processors is a power of $2$. In this case $\rho(n)=n+1$, and for $k\ge 2$ direct
1637: calculations of $\eta(n)$ (see
1638: the proof of \ref{Num}) imply that the number
1639: of transitive modulo $2^n$ mappings of $\mathbb Z/2^n$ onto itself that
1640: are induced by polynomials over $\mathbb Z$ is exactly
1641: $2^{2^{2k-1}+(k+1)2^{k-1}-4}$. For instance, in the case $n=32$ this makes $2^{604}$
1642: transitive mappings; all of them are induced by polynomials over $\mathbb
1643: Z$ of degree $\le 33$, i.e, could be expressed via arithmetic operations
1644: \eqref{eq:opAr}. Yet for $n=8$ this makes only $2^{44}$ polynomials of
1645: degree not exceeding $9$. By the use of bitwise logical operations
1646: \eqref{eq:opBinLog} along with arithmetic operations
1647: one could significantly increase the number of transitive mappings,
1648: up to $2^{2^{n}-n-1}$. Each of these mappings could be expessed
1649: as a polynomial over $\mathbb Q$ (see \ref{ergBin}), yet the bound for
1650: its degree $d$ raises significantly either.
1651: Namely, from the
1652: proof of \ref{Num} it follows that $\lfloor\log_2(d+1)\rfloor+1<n$ for $n>2$,
1653: i.e., $d\le 2^{n-1}-2$, and this bound is sharp. For $n=8$, e.g.,
1654: this makes $2^{247}$ transitive polynomials over $\mathbb Q$ of degree
1655: $\le 126$. Note that for each $1\le d\le \rho(n)$ (resp., for each
1656: $1\le d\le 2^{n-1}-2$) there exist an ergodic polynomial over $\mathbb Z$
1657: (resp., a compatible and ergodic polynomial over $\mathbb Q$) of degree
1658: exactly $d$. The number of pairwise distinct modulo $2^n$ mappings induced by these
1659: polynomials may also be calculated using the ideas of the proof of \ref{Num}.
1660: We omit details.
1661: \end{note}
1662: \subsection*{Using uniform differentiability}
1663: Now we are going to give general descriptions of equiprobable
1664: (in particular, multivariate measure-preserving) mappings following
1665: \cite[section 3]{me-2}, \cite[Section 5]{me-conf}, \cite[Section 5]{me-1}.
1666: These mapping could be used as output functions
1667: of the generators assuring uniform distribution of the produced sequence,
1668: see \ref{prop:Auto}.
1669:
1670: To describe equiprobable (and, in particular, measure preserving) mappings
1671: we need $p$-adic differential calculus techniques as well as certain notions introduced
1672: in \cite{me-1, me-2, me-conf}.
1673: \begin{defn}
1674: \label{def:Der}
1675: A function $F=(f_{1},\ldots ,f_{m})\colon{\mathbb Z}^{(n)}_{p}\rightarrow {\mathbb Z}^{(m)}_{p}$
1676: is said to be {\it differentiable modulo $p^k$} at the point
1677: $ \mathbf u=(u_{1},\ldots ,u_{n})\in {\mathbb Z}^{(n)}_{p}$
1678: if there exists a positive
1679: integer rational
1680: $N$ and $n\times m$ matrix $F^{\prime}_{k}(\mathbf u)$ over ${\mathbb Q}_{p}$
1681: (called {\it the Jacobi matrix modulo} $p^{k}$ of the function $F$ at the
1682: point
1683: $\mathbf u$) such that for every positive rational integer
1684: $K\ge N$ and every $ \mathbf h=(h_{1},\ldots ,h_{n})\in {\mathbb Z}^{(n)}_{p}$
1685: the inequality
1686: $\|\mathbf h\| _{p}\le p^{-K}$ implies that
1687: \begin{equation}
1688: \label{Der}
1689: F( \mathbf u+\mathbf h)\equiv F(\mathbf u)+
1690: \mathbf hF^{\prime}_{k}(\mathbf u)\pmod{p^{k+K}}.
1691: \end{equation}
1692: In case $m=1$ the
1693: Jacobi matrix modulo $p^k$ is called a {\it differential modulo $p^k$}. In
1694: case $m=n$ a determinant of Jacobi matrix modulo $p^k$ is called a {\it Jacobian
1695: modulo $p^k$}. The elements of Jacobi matrix modulo $p^k$
1696: are called {\it partial derivatives modulo} $p^k$ of the function $F$ at
1697: the point $\mathbf u$.
1698: \end{defn}
1699: A partial derivative (respectively, a differential) modulo $p^k$ are
1700: sometimes denoted as
1701: $\frac{\partial_k f_i (\mathbf u)}{\partial_k x_j}$ (respectively, as
1702: $d_{k}F(\mathbf u)=\sum^n_{i=1} \frac {\partial_k F(\mathbf u)}{\partial_k x_i}d_{k}x_{i}$).
1703: \par
1704: The definition immediately implies that partial derivatives
1705: modulo $p^k$ of the function $F$ are defined up to the $p$-adic integer
1706: summand whith $p$-adic norm does not exceeding $p^{-k}$. In cases when all partial derivatives
1707: modulo $p^k$ at all points of
1708: $\mathbb Z_p^{(n)}$ are
1709: $p$-adic integers, we say that the function
1710: $F$ has {\it integer-valued derivative modulo} $p^k$;
1711: %на $\mathbb Z_p^{(n)}$
1712: in these cases we can associate to each partial derivative modulo $p^k$
1713: a unique element of the ring $\mathbb Z/p^k$,
1714: and a Jacobi matrix modulo $p^k$
1715: at each point $\mathbf u\in \mathbb Z_p^{(n)}$
1716: thus can be considered as a matrix over a ring $\mathbb Z/p^k$. It turnes
1717: out that this is exactly the case for compatible $F$. Namely, the following
1718: proposition holds.
1719: \begin{prop}
1720: \label{intDer}
1721: {\rm(\cite[Corollary 3.8]{me-1}, \cite[Corollary 3.3]{me-conf})}
1722: Let a compatible function
1723: $F=(f_{1},\ldots ,f_{m})\colon{\mathbb Z}^{(n)}_{p}\rightarrow {\mathbb Z}^{(m)}_{p}$ be uniformly
1724: differentiable modulo $p^k$ at the point $\mathbf u\in {\mathbb Z}^{(n)}_{p}$.
1725: Then $\big\|\frac{\partial_k f_i (\mathbf u)}{\partial_k x_j}\big\|_p\le 1$, i.e.,
1726: $F$ has integer-valued derivatives modulo $p^k$.
1727: \end{prop}
1728: % \begin{proof}
1729: % In view of \ref{def:Der} it is sufficient to prove the proposition for
1730: % $m=n=1$. Now let a compatible mapping $f\colon\mathbb Z_p\rightarrow\mathbb
1731: % Z_p$ be uniformly differentiable modulo $p^k$ at the point $x\in\mathbb
1732: % Z_p$; that is, $f(x+p^ts)\equiv f(x)+p^tsf^\prime_k(x)\pmod{p^{k+K}}$ for all
1733: % $t\ge K$, $s\in\mathbb Z_p$, and $K$ sufficiently large. In particular,
1734: % $f(x+p^K)\equiv f(x)+p^Kf^\prime_k(x)\pmod{p^{k+K}}$
1735: % Since the compatibility
1736: % of $f$ implies that $f(x+p^K)-f(x)=rp^K$ for suitable $r\in\mathbb Z_p$,
1737: % then the latter congruence implies that $rp^K=p^Kf^\prime_k(x)+zp^{k+K}$
1738: % for suitable $z\in\mathbb Z_p$. Thus $f^\prime_k(x)\in\mathbb Z_p$.
1739: % \end{proof}
1740: For the functions with integer-valued derivatives modulo $p^k$
1741: the `rules of differentiation
1742: modulo $p^k$' have the same (up to congruence modulo $p^k$ instead of equality)
1743: form as for usual differentiation.
1744: For instance, if both functions
1745: $G\colon{\mathbb Z}^{(s)}_{p}\rightarrow {\mathbb Z}^{(n)}_{p}$ and
1746: $F\colon{\mathbb Z}^{(n)}_{p}\rightarrow {\mathbb Z}^{(m)}_{p}$
1747: are differentiable modulo
1748: $p^{k}$ at the points, respectively, $\mathbf v=(v_{1},\ldots ,v_{s})$
1749: and $\mathbf u=G(\mathbf v)$, and their partial derivatives modulo $p^{k}$ at
1750: these points are $p$-adic integers, then a composition
1751: $F\circ G\colon{\mathbb Z}^{(s)}_{p}\rightarrow {\mathbb Z}^{(m)}_{p}$
1752: of these functions is uniformly differentiable modulo $p^{k}$ at the point
1753: $\mathbf v$, all its partial derivatives
1754: modulo $p^{k}$ at this point are $p$-adic integers, and
1755: $(F\circ G)^\prime_k (\mathbf v)\equiv G^\prime_k (\mathbf v) F^\prime_k (\mathbf u)\pmod
1756: {p^k}$.
1757:
1758:
1759: By the analogy with classical case we can give the following
1760: \begin{defn}
1761: \label{def:uniDer}
1762: A function $F\colon{\mathbb Z}^{(n)}_{p}\rightarrow {\mathbb Z}^{(m)}_{p}$ is said
1763: to be
1764: {\it uniformly differintiable modulo $p^k$ on $\mathbb Z_p^{(n)}$} iff there
1765: exists $K\in\mathbb N$ such that \ref{Der} holds simultaneously for all
1766: $\mathbf u \in \mathbb Z_p^{(n)}$ as soon as
1767: $\| h_{i}\| _{p}\le p^{-K}$, $(i=1,2,\ldots ,n)$. The
1768: least such
1769: $K\in\mathbb N$
1770: is denoted via $N_k(F)$.
1771: %The latter number plays an important role in
1772: %further coniderations.
1773: \end{defn}
1774: We recall that all partial derivatives
1775: modulo $p^k$ of a uniformly differentiable modulo $p^k$ function $F$
1776: are periodic functions with period
1777: $p^{N_k(F)}$ (see \cite[Proposition 2.12]{me-1}).
1778: This in particular implies that each partial derivative modulo
1779: $p^k$ could be considered as a function defined on $\mathbb Z/p^{N_k(F)}$.
1780: Moreover, if a continuation $\tilde F$ of the function
1781: $F=(f_{1},\ldots , f_{m})\colon{\mathbb N}^{(n)}_{0}\rightarrow {\mathbb N}^{(m)}_{0}$
1782: to the space $\mathbb Z_p^{(n)}$ is uniformly differentiable modulo $p^k$ on the
1783: $\mathbb Z_p^{(n)}$, then one could continue both the function $F$ and all its
1784: (partial) derivatives modulo $p^k$ to the space $\mathbb Z_p^{(n)}$
1785: simultaneously. This imples that we could study if necessary (partial)
1786: derivatives modulo $p^k$
1787: of the function $\tilde F$ instead of studying those of $F$ and vise versa.
1788: For example, a partial derivative $\frac{\partial_k f_i (\mathbf u)}{\partial_k x_j}$
1789: modulo $p^k$ vanishes modulo $p^k$ at no point of $\mathbb Z_p^{(n)}$
1790: (that is,
1791: $\frac{\partial_k f_i (\mathbf u)}{\partial_k x_j}\not\equiv 0\pmod{p^k}$
1792: for all $u\in \mathbb Z_p^{(n)}$, or, the same
1793: $\big\|\frac{\partial_k f_i (\mathbf u)}{\partial_k x_j}\big\|_p> p^{-k}$
1794: everywhere on $\mathbb Z_p^{(n)}$) if and only if
1795: $\frac{\partial_k f_i (\mathbf u)}{\partial_k x_j}\not\equiv 0\pmod{p^k}$
1796: for all $u\in\{0,1,\ldots,p^{N_k(F)}-1\}$.
1797:
1798: To calculate a derivative of, for instance, a state transition function, which
1799: is a composition of `elementary' functions, see \ref{erg-comp},
1800: one needs to know derivatives of these `elementary' functions,
1801: such as \eqref{eq:opBinLog}
1802: and \eqref{eq:opAr}. Thus, we briefly introduce a $p$-adic analogon of
1803: `table of derivatives' of classical Calculus.
1804: \begin{exmp} Derivatives of bitwise logical operations.
1805: %\nopagebreak
1806: \label{DerLog}
1807: %\nopagebreak
1808: \begin{enumerate}
1809: %\nopagebreak
1810: \item {\it a function $f(x)=x\AND c$ is uniformly differentiable on $\mathbb
1811: Z_2$ for any $c\in
1812: \mathbb Z$; $f^\prime(x)=0$ for $c\ge 0$, and $f^\prime(x)=1$ for $c<0$,} since
1813: $f(x+2^ns)=f(x)$, and
1814: $f(x+2^ns)=f(x)+2^ns$ for $n\ge l(|c|)$, where $l(|c|)$ is the bit length
1815: of absolute value of $c$
1816: (mind that for $c\ge 0$ the $2$-adic representation
1817: of $-c$ starts with $2^{l(c)}-c$ in less significant bits followed by $11\ldots$:
1818: $-1=11\ldots$, $-3=10111\ldots$, etc.).
1819: \item {\it a function $f(x)=x\XOR c$ is uniformly differentiable on $\mathbb
1820: Z_2$ for any $c\in
1821: \mathbb Z$; $f^\prime(x)=1$ for $c\ge 0$, and $f^\prime(x)=-1$ for $c<0$.} This
1822: immediately
1823: follows from (1) since $u\XOR v=u+v-2(x\AND v)$ (see \eqref{eq:id}); thus
1824: $(x\XOR c)^\prime=x^\prime+c^\prime-2(x\AND c)^\prime=1+2\cdot(0,\ \text{for}\
1825: c\ge 0;\ \text{or}\
1826: -1,\ \text{for}\ c<0)$.
1827: \item in the same manner it could be shown that {\it functions $(x\bmod
1828: 2^n)$, $\NEG(x)$
1829: and $(x\OR c)$ for $c\in \mathbb Z$ are uniformly differentiable on $\mathbb
1830: Z_2$, and $(x\bmod 2^n)^\prime=0$, $(\NEG x)^\prime=-1$,
1831: $(x\OR c)^\prime=1$ for $c\ge 0$,
1832: $(x\OR c)^\prime=0$ for $c< 0$.}
1833: \item {\it a function $f(x,y)=x\XOR y$ is not uniformly differentiable on
1834: $\mathbb Z_2^{(2)}$,
1835: yet it is uniformly differentiable modulo $2$ on $\mathbb Z_2^{(2)}$};
1836: from (2) it follows that its partial derivatives modulo 2 are 1 everywhere
1837: on $\mathbb Z_2^{(2)}$.
1838: \end{enumerate}
1839: \end{exmp}
1840: % The examples of functions which are not uniformly differentiable on $\mathbb Z_p^{(n)}$,
1841: % yet are uniformly differentiable on $\mathbb Z_p^{(n)}$ modulo $p$, are
1842: % the function $f(x,y)=x\XOR y$ for $p=2$
1843: % and its corresponding analogons for $p\ne 2$; all partial derivatives modulo
1844: % $p$ of
1845: % these functions are congruent to 1 modulo $p$ at all points (see \cite{me-1}).
1846: % Note by the way, that previously introduced function
1847: % $\bmod{\,p^n}\colon \mathbb Z_p\rightarrow\mathbb Z/p^n$, the `reduction modulo $p^n$',
1848: % is uniformly differentiable on $\mathbb Z_p$ (its derivative is $0$ at all
1849: % points);
1850: % the function $f(x,y)=x\AND y$ is differentiable modulo $2$ at no point
1851: % of $\mathbb Z_2^{(2)}$, yet it is uniformly differentiable with respect to
1852: % $x$ for each $y\in \mathbb Z$: its derivative is 0 for $y\ge 0$, and it is
1853: % 1 in the opposite case.
1854:
1855:
1856: %To clarify how it all works consider the following
1857: Here how it works altogether.
1858: \begin{exmp*}
1859: %\label{exDer}
1860: A function $f(x)=x+(x^2\OR 5)$ is uniformly differentiable
1861: on $\mathbb Z_2$,
1862: %$N_1(f)=N_2(f)=\ldots =3$,
1863: and $f^\prime (x)=1+2x\cdot
1864: (x\OR 5)^\prime=1+2x$.
1865:
1866:
1867:
1868: A function $F(x,y)=(f(x,y),g(x,y))=
1869: (x \oplus 2(x \wedge y ),(y +3 x^3 )\oplus x )$
1870: is uniformly differentiable modulo $2$ as bivariate
1871: function, and $N_1(F)=1$; namely
1872: $$F(x+2^nt,y+2^ms)\equiv F(x,y)+(2^nt,2^ms)\cdot
1873: \begin{pmatrix}
1874: 1&x+1\\
1875: 0&1
1876: \end{pmatrix}
1877: \pmod{2^{k+1}}$$
1878: for all $m,n\ge 1$ (here $k=\min\{m,n\}$). The matrix
1879: $\begin{pmatrix}
1880: 1&x+1\\
1881: 0&1
1882: \end{pmatrix}
1883: =F^\prime_1(x,y)$ is Jacoby matrix modulo 2 of $F$; here how we calculate
1884: partial derivatives modulo $2$: for instance,
1885: $\frac{\partial_1 g(x,y)}{\partial_1 x}=\frac{\partial_1 (y +3 x^3)}{\partial_1 x}
1886: \cdot \frac{\partial_1 (u\oplus x)}{\partial_1 u}\big|_{u=y +3 x^3}+
1887: \frac{\partial_1 x}{\partial_1 x}\cdot
1888: \frac{\partial_1 (u\oplus x)}{\partial_1 x}\big|_{u=y +3 x^3}=9x^2\cdot 1+1\cdot
1889: 1\equiv x+1\pmod 2$.
1890: Note that a partial derivative modulo 2 of the function
1891: $2(x \wedge y )$ is always $0$ modulo 2 because of the multiplier 2:
1892: the function $x \wedge y$ is not differentiable modulo 2 as bivariate function,
1893: yet $2(x \wedge y )$ is. So the Jacobian of the function $F$ is
1894: $\det F^\prime_1=1\pmod 2$.
1895: \end{exmp*}
1896: %
1897: %Here and after till the end of this section
1898: Now let $F=(f_{1},\ldots , f_{m})\colon{\mathbb Z}^{(n)}_{p}\rightarrow {\mathbb Z}^{(m)}_{p}$
1899: and $f\colon{\mathbb Z}^{(n)}_{p}\rightarrow {\mathbb Z}_{p}$ be compatible
1900: functions,
1901: which are uniformly differentiable on $\mathbb Z_p^{(n)}$ modulo $p$. This is a
1902: relatively
1903: weak restriction since all uniformly differentiable on $\mathbb Z_p^{(n)}$ functions,
1904: as well as functions, which are uniformly differentiable on $\mathbb Z_p^{(n)}$
1905: modulo $p^k$ for some $k\ge
1906: 1$, are uniformly differentiable on $\mathbb Z_p^{(n)}$ modulo $p$;
1907: note that
1908: $\frac{\partial F}{\partial x_i}\equiv \frac{\partial_k F}{\partial_k x_i}\equiv
1909: \frac{\partial_{k-1} F}{\partial_{k-1} x_i}\pmod{p^{k-1}}$.
1910: Moreover,
1911: all values of all partial derivatives modulo $p^k$ (and thus, modulo $p$)
1912: of $F$ and $f$ are $p$-adic integers everywhere on,
1913: %all points of
1914: respectively, $\mathbb Z_p^{(n)}$ and $\mathbb Z_p$ (see \ref{intDer}),
1915: so to calculate these values one can use the techniques considered above.
1916:
1917: \begin{thm}
1918: \label{equi}
1919: {\rm(}\cite[Theorems 3.1 and 3.2; resp., 3.7 and 3.9 in the preprint]{me-2},
1920: \cite[5.2 -- 5.5]{me-conf}, \cite[5.2 -- 5.5]{me-1}{\rm)}
1921: A function $F\colon{\mathbb Z}^{(n)}_{p}\rightarrow {\mathbb Z}^{(m)}_{p}$ is
1922: equiprobable whenever it is equiprobable modulo $p^{k}$ for some
1923: $k\ge N_{1}(F)$ and the rank of its Jacobi matrix $F_1^\prime (\mathbf
1924: u)$ modulo
1925: $p$ is exactly $m$ at all points
1926: $\mathbf u=(u_{1},\ldots ,u_{n})\in (\mathbb Z/p^{k})^{(n)}$. In case
1927: $m=n$ these conditions are also necessary, i.e., the function $F$ preserves
1928: measure iff it is bijective modulo $p^{k}$ for some
1929: $k\ge N_{1}(F)$ and $\det(F_1^\prime (\mathbf u))\not\equiv 0\pmod{p}$ for all
1930: $\mathbf u=(u_{1},\ldots ,u_{n})\in (\mathbb Z/p^{k})^{(n)}$. Moreover,
1931: in the considered case these conditions imply that $F$ preserves measure
1932: iff it is bijective modulo $p^{N_1(F)+1}$.
1933: \end{thm}
1934: That is, if the mapping
1935: $\mathbf u\mapsto F(\mathbf u)\bmod p^{N_1(F)}$ is equiprobable, and if
1936: the rank of Jacobi matrix $F_1^\prime (u)$ modulo
1937: $p$ is exactly $m$ at all points $
1938: \mathbf u\in (\mathbb Z/p^{N_1(F)})^{(n)}$
1939: then
1940: {\it each} mapping $\mathbf u\mapsto F(\mathbf u)\bmod p^r$ of
1941: $(\mathbb Z/p^r)^{(n)}$ onto $(\mathbb Z/p^r)^{(m)}$
1942: $(r=1,2,3,\ldots)$ is equiprobable (i.e., each point
1943: $\mathbf u\in (\mathbb Z/p^{r})^{(m)}$ has the same number of preimages
1944: in $(\mathbb Z/p^{r})^{(m)}$, see \ref{def:erg}).
1945: \begin{exmp}
1946: \label{KlSh-ex}
1947: (see \cite{KlSh})
1948: \begin{enumerate}
1949: \item {\it A mapping
1950: $$(x,y ) \mapsto F(x,y)=(x \oplus 2(x \wedge y ),(y +3 x^3 )\oplus x )\bmod{2^r}$$
1951: of $\mathbb (Z/2^r)^{(2)}$ onto $\mathbb (Z/2^r)^{(2)}$
1952: is bijective for all $r=1,2,\ldots$}
1953:
1954: Indeed, the function $F$ is bijective modulo $2^{N_1(F)}=2$ (direct verification)
1955: and $\det(F_1^\prime (\mathbf u))\equiv 1\pmod 2$ for all $\mathbf u\in(\mathbb
1956: Z/2)^{(2)}$ (see \ref{DerLog} and example thereafter).
1957: \item {\it The following mappings of $\mathbb Z/2^r$ onto $\mathbb Z/2^r$
1958: are bijective for all $r=1,2,\ldots$}:
1959: \begin{equation*}
1960: \qquad \quad x\mapsto (x +2x^2)\bmod{2^r},\ x\mapsto (x +(x^2\vee 1))\bmod{2^r},\
1961: x\mapsto (x \oplus (x^2\vee 1))\bmod{2^r}
1962: \end{equation*}
1963:
1964: Indeed, all three mappings are uniformly differentiable
1965: modulo 2, and $N_1=1$ for all of them. So it sufficies to prove that
1966: all three mappings are bijective modulo 2, i.e. as mappings of the residue
1967: ring $\mathbb Z/2$ modulo 2 onto itself (this could be checked by direct calculations),
1968: and that
1969: their derivatives modulo 2 vanish at no point of $\mathbb Z/2$. The latter
1970: also holds, since the derivatives are, respectively,
1971: %$$1+2x=1\pmod 2,\ 1+2x\cdot 0=1\pmod 2,\ 1+2x\cdot 0\pmod 2$$
1972: $$\qquad\ 1+4x\equiv 1\pmod 2,\ 1+2x\cdot 1\equiv 1\pmod 2,\ 1+2x\cdot 1\equiv
1973: 1\pmod 2$$
1974: %since $(x^2\vee 1)^\prime=2x\cdot 0=0$ , and $(x\oplus C)^\prime_1=1$,
1975: since $(x^2\vee 1)^\prime=2x\cdot 1\equiv 1\pmod 2$, and $(x\oplus C)^\prime_1\equiv
1976: 1\pmod 2$,
1977: (see \ref{DerLog}).
1978: %where $(x\oplus C)^\prime_1$ is derivative
1979: %modulo 2 of the function $x\oplus C$
1980: \item {\it The following closely related variants of the previous mappings
1981: of
1982: $\mathbb Z/2^r$ onto $\mathbb Z/2^r$
1983: are NOT bijective for all $r=1,2,\ldots$}:
1984: $$\qquad \quad x\mapsto (x +x^2)\bmod{2^r},\ x \mapsto (x +(x^2\wedge 1))\bmod{2^r},\
1985: x\mapsto (x +(x^3\vee 1))\bmod{2^r},$$ since they are compatible but
1986: not bijectve modulo 2.
1987: \item (see \cite{Riv}, also \cite[Theorem 1]{KlSh}) {\it Let $P (x )=a_0 +a_1 x + \cdots+a_d x^d$ be a polynomial with integral
1988: coefficients. Then $P (x )$ is a permutation polynomial } (i.e., is bijective)
1989: {\it modulo $2^ n$,
1990: $n>1$ if and
1991: only if $a_1$ is odd, $(a_2 +a_4 + \cdots)$ is even, and $(a_3 +a_5 +\cdots)$
1992: is even.}
1993:
1994: In view of \ref{equi} we have to verify whether the two conditions
1995: hold: first, whether $P$ is bijective modulo 2, and second,
1996: whether
1997: $P^\prime(z)\equiv 1\pmod 2$ for $z\in\{0,1\}$.
1998: The first condition gives that $P(0)=a_0$ and $P(1)=a_0+a_1+a_2+\cdots a_d$
1999: must be distinct modulo 2; hence $a_1+a_2+\cdots a_d\equiv 1\pmod 2$.
2000: The second condition implies that
2001: $P^\prime(0)=a_1\equiv 1\pmod2,\ P^\prime(1)\equiv a_1+a_3+a_5+\cdots\equiv 1\pmod 2$.
2002: Now combining all this together we get $a_2+a_3+\cdots a_d\equiv 0\pmod 2$ and
2003: $a_3+a_5+\cdots\equiv 0\pmod 2$, hence $a_2 +a_4 + \cdots\equiv 0\pmod 2$.
2004: \item As a bonus, we can use exactly the same proof to
2005: get exactly the same characterization of bijective modulo $2^r$ $(r=1,2,\ldots)$
2006: mappings of the form $x\mapsto P (x )=
2007: a_0\oplus a_1x\oplus \cdots\oplus a_dx^d\bmod 2^r$ since $u\oplus v$ is uniformly
2008: differentiable modulo 2 as bivariate function, and its derivative modulo
2009: 2 is exactly the same as the derivative of $u+v$, and besides, $u\oplus v\equiv
2010: u+v\pmod 2$.
2011: \end{enumerate}
2012: \end{exmp}
2013: Note that in general theorem \ref{equi} could be applied to a class of
2014: functions that is narrower than the class of all compatible functions.
2015: However, it turnes out that for $p=2$ this is not the case. Namely, the
2016: following proposition holds, which in fact is just a restatement of a
2017: corresponding assertion of \ref{ergBool}.
2018: \begin{prop}
2019: \label{mpDer}
2020: {\rm(\cite[Corollary 4.6]{me-1}, \cite[Corollary 4.4]{me-conf})}
2021: If a compatible function $g\colon\mathbb Z_2\rightarrow\mathbb Z_2$ preserves
2022: measure then it is uniformly differentiable modulo $2$ and has integer derivative
2023: modulo $2$ (which is always $1$ modulo $2$).
2024: \end{prop}
2025:
2026:
2027: The techniques introduced above could also be applied to characterize ergodic
2028: functions.
2029: \begin{thm}
2030: \label{ergDer}
2031: {\rm (}\cite[Theorem 3.4, resp. 3.14 in the preprint]{me-2}, \cite[Theorem
2032: 5.7]{me-conf}, \cite[Theorem 5.7]{me-1}{\rm )}
2033: Let a compatible function $f\colon{\mathbb Z}_{p}\rightarrow {\mathbb Z}_{p}$
2034: be uniformly differentiable modulo $p^{2}$. Then $f$ is
2035: ergodic if and only if it is transitive modulo $p^{N_{2}(f)+1}$ when
2036: $p$ is an odd prime, or modulo $2^{N_{2}(f)+2}$ when $p=2$.
2037: \end{thm}
2038: \begin{exmp}
2039: \label{ergKlSh}
2040: In \cite{KlSh} there is stated that ``...neither the invertibility nor
2041: the cycle structure of
2042: $x +(x^2\vee 5)$ could be determined by his ({\slshape i.e., mine --- V.A.}) techniques.''
2043: See however how it could be immediately done with the use of Theorem
2044: \ref{ergDer}:
2045: The function $f(x)=x+(x^2\vee 5)$ is uniformly differentiable
2046: on $\mathbb Z_2$, thus, it is uniformly differentiable modulo 4
2047: (see \ref{DerLog} and an example thereafter), and $N_2(f)=3$. Now to
2048: prove that $f$ is ergodic, in view of \ref{ergDer} it sufficies
2049: to demonstrate that $f$ induces a permutation
2050: with a single cycle on $\mathbb Z/32$. Direct calculations show that a
2051: string
2052: $0,f(0)\bmod 32, f^2(0)\bmod 32=f(f(0))\bmod 32, \ldots, f^{31}(0)\bmod
2053: 32$ is a permutation of a string $0,1,2,\ldots,31$, thus ending the proof.
2054: \end{exmp}
2055:
2056: Note that both Theorems \ref{equi} and \ref{ergDer} share the same feature:
2057: To prove ergodicity (or measure preservation) of a certain mapping
2058: it sufficies to verify only whether this mapping is transitive (respectively,
2059: bijective) modulo $p^N$ for a certain $N$. The origin of this feature is
2060: a pecularity of the $p$-adic distance; in fact such an effect goes back
2061: to Hensel's lemma. By the way, using this feature, namely, the fact that
2062: a polynomial $f$ with integer coefficients induces an ergodic mapping of $\mathbb
2063: Z_2$ onto itself iff $f$ is transitive
2064: modulo 8 (see \ref{ergPolGen}; note that \ref{ergDer} implies modulo 16),
2065: M.V.Larin proved the following theorem in a
2066: spirit of one of Rivest's \ref{KlSh-ex}(4).
2067: \begin{thm}
2068: {\rm (\cite[Proposition 21]{Lar})}
2069: Let $P (x )=a_0 +a_1 x + \cdots+a_d x^d$ be a polynomial with integral
2070: coefficients. Then $P (x )$ induces a permutation with a single cycle
2071: modulo $2^ n$, $n>2$ if and only if the following congruences hold simultaneously:
2072: \begin{gather*}
2073: a_3+a_5+a_7+a_9+\cdots\equiv 2a_2\pmod 4;\\
2074: a_4+a_6+a_8+\cdots\equiv a_1+a_2-1\pmod 4;\\
2075: a_1\equiv 1\pmod 2;\\
2076: a_0\equiv 1\pmod 2.
2077: \end{gather*}
2078: \end{thm}
2079: It would be of interest to understand whether an
2080: analogon of \ref{KlSh-ex}(5) for ergodic polynomials over $\mathbb Z$
2081: could be proved:
2082: A straightforward application of the same ideas does not work since the function
2083: $x\oplus y$ is uniformly differentiable modulo 2, but not modulo 4, cf.
2084: Theorem \ref{ergDer}.
2085:
2086: \section{Constructions}
2087: \label{sec:Constr}
2088:
2089: In this section we introduce several constructions that enable one to
2090: built pseudorandom number
2091: generators
2092: %and stream ciphers
2093: out of `building blocks' based on ergodic and equiprobable mappings.
2094: Output sequences of these generators are always strictly uniformly
2095: distributed.
2096: Other probabilistic and cryptographic properties of these generators are discussed
2097: in further sections.
2098:
2099: Our base construction is
2100: a finite automaton
2101: ${\mathfrak A}=\langle N,M,f,F,u_0\rangle $ such that
2102: \begin{itemize}
2103: \item the state set $N$ is finite;
2104: \item the state transition function
2105: $f:N\rightarrow N$ is transitive (i.e., $f$ is a permutation with a single
2106: cycle);
2107: \item the output alphabet $M$ is finite, and $|M|$ is a factor
2108: of $|N|$;
2109: \item the output function $F:N\rightarrow M$ is equiprobable, i.e., all
2110: preimages $F^{-1}(z)$, $z\in M$, have the same cardinality $\frac{|N|}{|M|}$;
2111: \item the initial state (a seed) $u_0$ is an arbitrary element of $N$.
2112: \end{itemize}
2113:
2114: Under these conditions the output sequence
2115: $$\mathcal S(u_0)=
2116: \{F(u_0), F(f(u_0)), F(f^{(2)}(u_0)),\ldots, F(f^{(j)}(u_0)),\ldots\}$$
2117: %over
2118: of the automaton $\mathfrak A$ is strictly uniformly distributed
2119: over $M$ i.e., $\mathcal S(u_0)$ is a purely periodic sequence,
2120: $|N|$ is its period length,
2121: and every element $z\in M$ occurs at the period exactly $\frac{|N|}{|M|}$
2122: times, see \ref{prop:Auto}.
2123: \subsection*{Congruential generator of a maximum period length} This corresponds to a case when $N=M$,
2124: $f$ is compatible and transitive mapping of the residue ring $\mathbb Z/|N|$ onto itself,
2125: and $F$ is an identical transformation (we identify $N$ with $\mathbb Z/|N|$
2126: in an obvious manner).
2127: %i.e. when the automaton $\mathfrak
2128: %A$ has no output function (the output is just a state).
2129: This generator is said to be
2130: {\it congruential} since the algebraic notion of compatibility just
2131: means that $f$ preserves all congruences of the ring $\mathbb Z/|N|$,
2132: i.e. for all $a,b\in N$, $a\equiv b\pmod d\Rightarrow f(a)\equiv f(b)\pmod
2133: d$ whenever $d\,\big | |N|$.
2134: \begin{note}
2135: \label{note:Congr}
2136: In order to avoid future misunerstanding it is important to emphasize here
2137: that {\slshape our notion of a congruential generator
2138: differs from one of Krawczyk}, \cite{Kr}. According to the latter paper, a (general)
2139: congruential generator is a number generator for which the $i$\textsuperscript{th}
2140: element $s_i$ of the sequence is a $\{0,1,\ldots,m-1\}$-valued number computed
2141: by the congruence
2142: \begin{equation}
2143: \label{eq:Kr}
2144: s_i\equiv\sum_{j=1}^k\alpha_j\Phi_j(s_{-n_0},\ldots,s_{-1},s_0,\ldots,
2145: s_{i-1})\pmod m,
2146: \end{equation}
2147: where $\alpha_j\in\mathbb Z$, $m\in\{2,3,\ldots\}$ and $\Phi_j$, $1\le
2148: j\le k$ is an arbitrary integer-valued function. Note that this definition
2149: could be restated in the equivalent form: a (general) congruential generator
2150: is a number generator for which the $i$\textsuperscript{th}
2151: element $s_i$ of the output sequence is computed by the congruence
2152: $$s_i\equiv \Phi(s_{-n_0},\ldots,s_{-1},s_0,\ldots,s_{i-1})\pmod m,$$
2153: where, as Krawczyk notes (see \cite[page 531]{Kr}), $\Phi$ is an {\slshape arbitrary} integer-valued function that works on
2154: {\slshape finite sequences} of integers. Thus, {\slshape according to Krawczyk's definition,
2155: an arbitrary infinite sequence over $\{0,1,\ldots,m-1\}$ should be considered
2156: as a congruential generator}. Such a definition is too general for the purposes
2157: of our paper. Results of \cite{Kr} in connection with a
2158: problem of predictability of the generators considered in this paper will
2159: be discussed later.
2160: %, see Section \ref{sec:Predict}.
2161: \end{note}
2162:
2163: So {\it further in the paper a congruential generator is assumed to be
2164: the automaton
2165: $\mathfrak A$ such that $M=N$, $F:M\rightarrow M$ is a trivial permutation,
2166: and state transition function $f$, being considered
2167: as a mapping of the residue ring $\mathbb Z/|N|$ into itself, preserves all
2168: congruences of this ring}.
2169:
2170: In case the number of states is composite, $|N|=p_1^{n_1}p_2^{n_2}\cdots p_t^{n_t}$,
2171: $p_j$ prime, $j=1,2,\ldots,t$, this generator could
2172: obviously be represented as a direct product of congruential generators
2173: with prime power state set:
2174: $\mathbb Z/|N|=\mathbb Z/p_1^{n_1}\times \cdots \times\mathbb Z/p_t^{n_t}$,
2175: and $f=f_1\times\cdots\times f_t$, where $f_j=(\tilde f_j)\bmod p_j^{n_j}$,
2176: $\tilde f_j\colon\mathbb Z_{p_j}\rightarrow\mathbb Z_{p_j}$ is a compatible
2177: and ergodic mapping, $j=1,2,\ldots,t$.
2178: \begin{exmp*} For $N=10^k=2^k\cdot 5^k$ the mapping
2179: $f(x)=11x+{11^x}$ is transitive modulo
2180: $10^k$ for all $k=1,2,\ldots$ (see \ref{expGen} and a note thereafter).
2181: \end{exmp*}
2182: Thus, the case of composite number
2183: of states could be reduced to the case when a number of states is a power
2184: of a prime, i.e., when $|N|=p^n$.
2185: % to study properties of such
2186: % a
2187: % congruential generator with a composite num
2188: % this generators it is sufficient to study
2189: An obvious disadvantage of this congruential generator is that the {\slshape
2190: period length
2191: of the sequence}
2192: $\{\delta_j(f^{(i)}(u_0)): i=0,1,2,\dots\}$ (where $\delta_j(z)$
2193: stands for the $j$\textsuperscript{th} digit of the base-$p$ expansion
2194: of $z$) {\slshape is exactly $p^{j+1}$, i.e., only the most
2195: significant bit of the output sequence has a maximum period length}, which is
2196: obviously equal to the period of the whole output sequence.
2197:
2198: While being
2199: not very
2200: significant in case the output sequence is applied to simulation
2201: tasks
2202: (espesially if one uses
2203: the sequence $\Big\{\frac{f^{(i)}(u_0)}{p^n}\Big\}$;
2204: the latter use is common for numerical experiments),
2205: this disadvantage in general
2206: leads to a cryptographic insecurity of
2207: the generator whenever the function $f$ is known
2208: to a cryptoanalyst.
2209: Indeed, to solve a congruence $z\equiv f(x)\pmod {p^n}$
2210: (and as a result to find a key, which is an initial state $u_0$ in this
2211: case) one might use a version of $p$-adic Newton's method (the latter is
2212: a base of a canonical
2213: proof of Hensel's lemma).
2214:
2215: Namely, one solves a congruence $z\equiv f(x)\pmod {p}$,
2216: thus finding the least significant digit $\delta_0(x)$ of $x$. Provided
2217: $\delta_j(x)$ for $j=0,1,\ldots,k-1$ are already found, to find $\delta_k(x)$
2218: one has to find a (unique) solution of a congruense $z\equiv f(\hat x)+
2219: p^k\check f_k(\hat x,\delta_k(x))\pmod
2220: {p^{k+1}}$, where $\hat x=\delta_0(x)+\delta_1(x)\cdot p+\cdots+\delta_{k-1}(x)\cdot
2221: p^{k-1}$ and the mapping $\check f_k(\cdot,\cdot)\colon \mathbb Z/p^k\times
2222: \mathbb Z/p\rightarrow\mathbb Z/p$ is uniquelly determined by $f$. Of course,
2223: to express explicitly $\check f_k(\cdot,\cdot)$ is a separate problem, yet
2224: it is easy in a number of important cases. For instance,
2225: $\check f_k(\hat x,\delta_k(x))=\delta_k(x)$ in case $p=2$ (see \ref{mpDer}).
2226:
2227: We may also consider a case when $f$ is not is known to a cryptoanalyst:
2228: e.g., for $p=2$ one may take
2229: $f=1+x+4g(x)$, where $g(x)$ is a compatible key-dependent function, which
2230: is not known to a cryptoanalyst.
2231: Such function $f$ is ergodic, see
2232: \ref{compBool}.
2233: % In this case a cryptoanalist knows a degree $\deg
2234: % g$, but not coefficients of the polynomial $g(x)$, which are key dependent.
2235: This situation is a little better in comparison with a known $f$.
2236: However,
2237: the sequence formed of less significant bits of $f^{(i)}(u_0)$ is predictable
2238: in both directions, i.e. knowing $k$ members of the sequence $\{f^{(i)}(u_0)\}$
2239: a cryptoanalyst finds $\delta_j(f^{(i)}(u_0))$ for all $j<\log_2 k$ and
2240: all $i=0,1,2,\ldots$, stretching
2241: the corresponding periods in both directions. Thus, a good idea is to discard
2242: less significant bits of the output sequence: Note that methods of \cite{Kr},
2243: as it is directly pointed out there, do not apply to generators that output
2244: only parts of the numbers generated. So we come to the notion of
2245: \subsection*{Truncated congruential generator of a maximum period length} The
2246: latter is an automaton $\mathfrak A$ such that $|N|=p^n$, $p$ prime, $|M|=p^m$,
2247: $m<n$, $f=(\tilde f)\bmod p^n$, $f$ is a compatible and ergodic mapping
2248: of $\mathbb Z_p$ onto itself, $F(u)=\big\lfloor \frac{u}{p^{n-m}}\big\rfloor$,
2249: $u\in\{0,1,\ldots, p^n-1\}$.
2250: Note that the function $F$ is not compatible, yet equiprobable, so
2251: the output sequence, considered as a sequence over $\mathbb Z/p^m$,
2252: is purely periodic with period length exactly $p^n$, and
2253: each element of $\mathbb Z/p^m$ occurs at the period exactly $p^{n-m}$
2254: times.
2255: In this paper we are mainly focused at the case
2256: $p=2$.
2257:
2258:
2259: % To improve probabilistic quality of output sequences of the automata considered
2260: % further we will use (along with compatible equiprobable output functions)
2261: % %we will use also
2262: % those output functions that are not compatible, yet equiprobable.
2263: %
2264:
2265:
2266:
2267: % We do not recall them here since in the sequel we
2268: % consider as output functions certain eqiprobable mappings of very special kind,
2269: % and to prove their equiprobability we will not need general theorems of \cite{me-2}.
2270:
2271: An important example of such an output function $F$ is
2272: the mapping
2273: $\delta_j\colon\mathbb Z_2\rightarrow\mathbb Z/2$. It returnes the
2274: $j$\textsuperscript{th} digit of $z$
2275: and is obviously equiprobable.
2276: We call the corresponding sequence $\{\delta_j(f^{(i)}(z)): i=0,1,2,\dots\}$
2277: the {\it
2278: $j$\textsuperscript{th} coordinate sequence}, since the sequence $\{f^{(i)}(z): i=0,1,2,\dots\}$
2279: could be thought of as a sequence of vectors
2280: $\{(\delta_0(f^{(i)}(z)),\delta_1(f^{(i)}(z)),\dots): i=0,1,2,\dots\}$
2281: over a field $\mathbb Z/2$ of two elements. Of course, the use of $\delta_j$
2282: as an output function of the automaton $\mathfrak A$ significantly reduces
2283: the performance, and the corresponding pseudorandom
2284: generator might be not of much practical value.
2285: Nonetheless, we have to study coordinate sequences
2286: to be able to prove certain important properties of output sequences of pseudorandom
2287: generators considered in the paper. In particular, while studying probabilstic
2288: quality of output sequences of truncated
2289: congruential generators one has to study correlations among coordinate
2290: sequences. We postpone these issues to Section \ref{sec:Prop}.
2291:
2292: A truncation usually makes generators slower but more secure:
2293: general methods that predict truncated congruential generators are not known, see
2294: \cite{Bri-Od},\cite{Menz}. However, such methods exist in some particular
2295: cases, for instance, when $f$ is a polynomial over $\mathbb Z$ of degree
2296: $1$, and/or a relatively small part of less significant bits are discarded,
2297: %(for truncated linear congruential generators
2298: see \cite{five}. However, in general truncated congruential generators
2299: seem to be rather secure even their state transition function is relatively
2300: simple: For instance, an analysis made in \cite{KlSh-2} shows that for
2301: $f(x)=(x+(x^2\vee C))\bmod 2^n$ the corresponding stream cipher
2302: is quite strong against a number of attacks. Note also that in generators
2303: we study here both the state
2304: transition function and output function could be keyed.
2305:
2306: %, for truncated
2307: %quadratic and cubic generators see \cite{Boyar}.)
2308:
2309:
2310: \subsection*{Wreath products of congruential generators} This construction enables
2311: one to construct pseudorandom generators such that their state
2312: transition function (and output function) is being modified dynamically while working,
2313: i.e. generators with recurrence sequence
2314: of states satisfying a congruence
2315: $$x_{i+1}\equiv f_i(x_i)\pmod{2^n}.$$ Such generators are called
2316: {\it counter-dependent}, see \cite[Definition 2.4]{ShTs}.
2317: The problem here is how to guarantee period length (and statistical quality)
2318: of this sequence $\{x_i\}$. The construction we introduce below offers a
2319: certain solution to this problem; the idea of the construction goes back
2320: to wreath products of permutation groups. The exact definition (which could
2321: be found in, e.g., \cite{Pas}) is not needed within a context of this paper;
2322: %for a definition;
2323: %the latter is not needed to understand the following construction, yet
2324: we note, however, that this construction is just a permutation
2325: that belongs to a wreath product of a Sylow $2$-subgroup of a symmetric
2326: group on $2^n$ elements by a cyclic group.
2327:
2328: The idea of the construction is the following:
2329: Consider a (finite or infinite) sequence of automata
2330: $\mathfrak A_j=\langle N,M,f_j,F_j\rangle$, $j\in J=\{0,1,2,\ldots,\}$
2331: (where $J$ is finite, or $J=\mathbb N_0$).
2332: %and an arbitrary permutation
2333: %$T$ of elements of $J$
2334: Note that all the automata $\mathfrak A_j$
2335: have the same state set $N$
2336: and the same output alphabet $M$. Now produce the following sequence
2337: $\{z_i\colon i=1,2,\ldots\}$:
2338: Choose an arbitrary $u_0\in N$ and put
2339: $$z_0=F_0(u_0),u_1=f_0(u_0);\ldots
2340: z_{i}=F_i(u_i), u_{i+1}=f_i(u_i);\ldots$$
2341: That is, at the $(i+1)$\textsuperscript{th} step the automaton $\mathfrak A_i$
2342: is applied to the state $u_i$ producing a new state $u_{i+1}=f_i(u_i)$ and
2343: outputting a symbol $z_{i}=F_i(u_i)$.
2344:
2345:
2346:
2347:
2348: %This construction enables
2349: %one to design stream encryption schemes with dynamically changing parameters.
2350:
2351: Now we give a more formal
2352: \begin{defn}
2353: \label{def:WP}
2354: Let $\mathfrak A_j=\langle N,M,f_j,F_j\rangle$ be a family of
2355: automata with the same state set $N$ and the same
2356: output alphabet $M$ indexed by elements of
2357: a non-empty (possibly, countably infinte) set $J$
2358: (members of the family are not necessarily pairwise distinct).
2359: Let $T\colon J\rightarrow J$ be an arbitrary mapping. A {\it wreath product}
2360: $\mathfrak A_j\Wr_{j\in J}T$
2361: of the family $\{\mathfrak A_j\}$ of the automata
2362: by the mapping $T$ is an automaton with state set $N\times J$, state
2363: transition function $\breve f(j,z)=(f_j(z),T(j))$ and output function
2364: $\breve F(j,z)=F_j(z)$. The state transition function $\breve f(j,z)=(f_j(z),T(j))$
2365: is called a {\it wreath product of family of mappings $\{f_j\colon j\in
2366: J\}$ by the mapping $T$}; it is denoted as $\breve f=f_j\Wr_{j\in J}T$.
2367: \end{defn}
2368: It worth noticing here that if $J=\mathbb N_0$ and $F_i$ does not depend on $i$, this construction
2369: will give us a number of examples of counter-dependent generators
2370: in a sence of \cite[Definition 2.4]{ShTs}.
2371: %so results of this subsection
2372: %coud be considered also as further development in construction of counter-dependent
2373: %generators.
2374: Note also that generators we consider in this subsection are counter-dependent
2375: in a broader sence: Not only
2376: their state transition functions depend on $i$,
2377: but their output functions as well.
2378: % However, we shall not study their diversity, the main notion of
2379: % \cite[Definition 2.5]{ShTs}. Instead,
2380: % in this subsection
2381: % we shall calculate {\sl exact period lengths} $P$ of their internal state sequences,
2382: % as well as of output sequences. Further in Section \ref{sec:Prop} we will demonstrate
2383: % that the \underline{distribution of $k$-tuples} for $k\le\log_2 P$ in their output sequences
2384: % \underline{is uniform}. The same will be done also in case $F_i$ \underline{depends}
2385: % on $i$.
2386:
2387: In fact, we are already familiar with wreath products of mappings: See the
2388: following
2389: \begin{exmp*}
2390: Let $J=\mathbb Z/2^n$, let $T\colon\mathbb Z/2^n\rightarrow\mathbb Z/2^n$
2391: be an arbitrary compatible permutation with a single cycle.
2392: Put $N=\{0,1\}$, $f_z(u)=u\oplus\beta(z)$, where $u\in N$ and
2393: $\beta(z)=\beta(\delta_0(z),\ldots,\delta_{n-1}(z))$ is a Boolean polynomial
2394: of degree $n$ in $n$ Boolean variables (so $\{f_z\}$ is a family of linear
2395: congruential generators modulo $2$). Then $\breve f=f_z\Wr_{z\in J}T$ could
2396: be considered as a mapping of $\mathbb Z/2^{n+1}$ onto itself (we identify
2397: $(\varepsilon,z)\in N\times J$ with $z+\varepsilon\cdot 2^n\in\mathbb Z/2^{n+1}$);
2398: moreover, $\breve f$ is a compatible permutation on $\mathbb Z/2^{n+1}$
2399: with a single cycle in view of \ref{ergBool}. Thus, every compatible and
2400: ergodic mapping modulo $2^k$ could be obtained by succesive application
2401: of wreath products. In fact, all compatible mappings of $\mathbb Z/2^{n+1}$
2402: onto itself form a group $Syl_2(2^{n+1})$ with respect to a composition.
2403: This group is a Sylow
2404: $2$-subgroup of a symmetric group $Sym(2^{n+1})$ on $\mathbb Z/2^{n+1}$;
2405: it is known (see e.g. \cite{Pas}) that
2406: $$Syl_2(2^{n+1})=\underbrace {Sym(2)\wr Sym(2)\wr\cdots\wr Sym(2)}_{\text{$n+1$ factors}}.$$
2407: Here $\wr$ stands for the wreath product of groups.
2408: \end{exmp*}
2409:
2410: A generalization of the above example gives the following
2411: \begin{prop}
2412: \label{WP-even}
2413: Let $T\colon\mathbb Z/2^m\rightarrow\mathbb Z/2^m$, $m\ge 1$,
2414: be an arbitrary permutation
2415: with a single cycle,
2416: let $\{c_0,\ldots,c_{2^m-1}\}$ be a finite sequence
2417: of $2$-adic integers,
2418: %such that $\sum_{j=0}^{2^m-1}c_j\equiv 1\pmod 2$,
2419: and let $\{f_0,\ldots,f_{2^m-1}\}$ be a finite sequence of compatible
2420: mappings of $\mathbb Z_2$ onto itself.
2421: %{\rm ($f_j$
2422: %are not necessarily pairwise distinct)}.
2423: Put $H_j(x)=c_j+x+4\cdot f_j(x)$.
2424: %$j=0,1,2,\ldots,2^m-1$.
2425: Then the wreath product
2426: $H_j\Wr_{j=0}^{2^m-1}T$ defines a bijective mapping
2427: $W\colon\mathbb Z_2\twoheadrightarrow \mathbb Z_2$
2428: %according to the folowing rule:
2429: $$W(x)=T(x\bmod{2^m})+2^m\cdot H_{x\bmod{2^m}}
2430: \bigg(\Big\lfloor\frac{x}{2^m}\Big\rfloor\bigg);$$
2431: this mapping is asypmtotically compatible and asymptotically ergodic
2432: {\rm (i.e., $a\equiv b\pmod{2^k}\Rightarrow W(a)\equiv W(b)\pmod{2^k}$ and
2433: $W$ is transitive modulo $2^k$ for all sufficiently large $k$; in fact,
2434: for all $k>m$, see \cite{me-conf, me-1, me-2} for definitions)} if and only if
2435: $\sum_{j=0}^{2^m-1}c_j\equiv 1\pmod 2$.
2436: % That is, $a\equiv b\pmod{2^k}\Rightarrow W(a)\equiv W(b)\pmod{2^k}$ and
2437: % $W$ is transitive modulo $2^k$ for all sufficiently large $k$ {\rm(}in fact,
2438: % for all $k>m${\rm)}.
2439:
2440: In other words,
2441: every recurrence sequence $\mathcal U_n=\{x_i\}$ defined by the relation
2442: $$x_{i+1}=H_{i\bmod{2^m}}(x_i)\bmod{2^n}$$
2443: %{\rm (}$n=1,2,3,\ldots${\rm )}
2444: is strictly uniformly distributed sequence
2445: over $\mathbb Z/2^n$ of period length exactly $2^{n+m}$
2446: %{\rm (i.e., with every element of $\mathbb Z/2^n$
2447: %occurring at the period exactly $2^m$ times)}
2448: if and only if
2449: $\sum_{j=0}^{2^m-1}c_j\equiv 1\pmod 2$.
2450: \end{prop}
2451: \begin{proof} Since wreath product of permutations on sets $N$ and $M$
2452: is a permutation on the direct product $N\times M$ (see \ref{def:WP}),
2453: the sequence $\mathcal U_n$ is purely periodic.
2454: %so
2455: %it is sufficient to prove the proposition in its equivalent (second) form.
2456: Moreover, since the permutations $T$ and $I\colon z\mapsto (z+1)\bmod 2^m$ are
2457: conjugate in $Sym(2^m)$, and thus both wreath products
2458: $(H_j\bmod 2^n)\Wr_{j=0}^{2^m-1}T$
2459: and $(H_j\bmod 2^n)\Wr_{j=0}^{2^m-1}I$ have the same cycle structure (the same number
2460: of cycles of length $\ell$, for all $\ell=1,2,\ldots$), it is suffisient to study a period of a
2461: sequence $x_{i+1}=H_{i}(x_i)\bmod{2^n}$, assuming $H_i=H_{i\bmod{2^m}}$
2462: for $i\ge 2^m$.
2463: %(further in the proof we also assume that lower indices of
2464: %$H_j$, $g_j$ and $c_j$ are
2465: %always reduced modulo $2^m$).
2466: Further, since
2467: $W_n=(H_j\bmod 2^n)\Wr_{j=0}^{2^m-1}I\in Syl_2(2^{n+m})$,
2468: the period length of the sequence $\{x_i\}$ is a power of $2$. Finally,
2469: since the mapping $W_n\colon\mathbb Z/2^{n+m}\rightarrow\mathbb Z/2^{n+m}$
2470: is compatible, it is necessary and sufficient to understand when $W_n$ is transitive
2471: modulo $2^{n+m}$ for all $k=n+m$. Yet the mapping $W_n$ could be considered
2472: as a function of a variable $z=i+2^m\cdot x\in\mathbb Z/2^{m+n}$, where
2473: $i\in\{0,1,\ldots, 2^m-1\}$ and $x\in\{0,1,\ldots, 2^n-1\}$.
2474: %we introduce a new variable $z=i+2^m\cdot x\in\mathbb Z/2^{m+n}$.
2475: % , or, equivalently, when a period length
2476: % of
2477: % each binary sequence $\{\delta_j(H_i(x_i))\colon i=0,1,2,\ldots\}$, $j=0,1,2,\ldots
2478: % $, is $2^{m+j+1}$.
2479: Thus, we could apply \ref{ergBool} to study transitivity of $W_n$.
2480: Since $W_n(z)\equiv z+1\pmod{2^m}$ by the definition,
2481: we only have to calculate $\delta_j(H_i(x))$.
2482:
2483: One has $\delta_0(c_i+x)\equiv \chi_0+\beta(i)\pmod 2$ and
2484: $$\delta_j(c_i+x)\equiv \chi_j+\beta(i)\chi_0\cdots\chi_{j-1}+
2485: \gamma_{ji}(\chi_0,\ldots,\chi_{j-1})\pmod 2 \qquad (j>0),$$
2486: where $\chi_j=\delta_j(x)$, $\beta(i)=\delta_0(c_i)$,
2487: $\gamma_{ji}(\chi_0,\ldots,\chi_{j-1})$ is a Boolean polynomial of degree
2488: $<j$ in Boolean variables $\chi_0,\ldots,\chi_{j-1}$. Yet
2489: $\delta_i(4\cdot g_j(x))$ is a Boolean polynomial in Boolean variables
2490: $\chi_0,\ldots,\chi_{j-2}$ for $j\ge 2$, and is $0$ otherwise. Thus,
2491: \begin{equation}
2492: \label{eq:WP-even}
2493: \delta_j(H_i(x))\equiv\chi_j+\beta(i)\chi_0\cdots\chi_{j-1}+
2494: \lambda_{ji}(\chi_0,\ldots,\chi_{j-1})\pmod 2,
2495: \end{equation}
2496: where $\deg\lambda_{ji}<j$, $j=1,2,\ldots$, and
2497: $\delta_0(H_i(x))\equiv\chi_0+\beta(i)\pmod 2$.
2498:
2499: Assuming $\zeta_r=\delta_r(z)$ for $r=0,1,\ldots, m+n-1$ one can consider
2500: $\beta(i)$ for $i\in\{0,1,\ldots, 2^m-1\}$
2501: as a Boolean polynomial in Boolean variables
2502: $\zeta_0,\ldots,\zeta_{m-1}$; similarly, $\lambda_{ji}$
2503: could be considered as a Boolean polynomial in Boolean variables
2504: $\zeta_0,\ldots,\zeta_{m+j-1}$. Since the degree of $\lambda_{ji}$ in variables
2505: $\chi_0,\ldots,\chi_{j-1}$ is less than $j$ (see the argument above), the
2506: degree of this polynomial in variables $\zeta_0,\ldots,\zeta_{m+j-1}$
2507: is less than $m+j$. Thus, in view of \ref{Delta} and \eqref{eq:WP-even},
2508: the mapping $W_n$ is transitive iff $\deg\beta=m$, i.e., iff the Boolean
2509: polynomial $\beta$ is of odd weight. Yet the latter is equivalent to the
2510: condition $\sum_{i=0}^{2^m-1}\beta(i)\equiv 1\pmod 2$. This proves the
2511: proposition since $\sum_{i=0}^{2^m-1}\beta(i)\equiv \sum_{i=0}^{2^m-1}
2512: c_i\pmod 2$.
2513: %$\zeta_m=\delta_0(x)=\chi_0,\ldots,\zeta_{j+m-1}=\delta_{j-1}(x)=\chi_{j-1}$
2514: % As $f_j$ is compatible and ergodic, then $f_j(x)=c_j+x+2\cdot
2515: % g_j(x)$ for suitable $2$-adic integer $c_j$ and suitable compatible mapping
2516: % $g_j\colon\mathbb Z_2\rightarrow\mathbb Z_2$, see \ref{Delta}.
2517: %
2518: % Now we
2519: % % note that $f_i(x)=1+x+2\Delta g_i(x)$ for a suitable compatible
2520: % % $g_i(x)$ (see \ref{Delta})
2521: % % and
2522: % proceed with induction on $n$.
2523: % For $n=1$ one has $x_{i+1}=x_i+c_{i}\bmod 2$;
2524: % %therefore
2525: % %$x_{i+1}\equiv x_0+\sum_{j=0}^{i}\pmod 2$;
2526: % thus, $x_{i+P}\equiv x_i\pmod
2527: % 2$ for all
2528: % $x_i$ implies that $\sum_{j=i}^{i+P-1}c_j\equiv 0\pmod 2$ for all $i=0,1,2,\ldots$.
2529: % The latter congruence implies that $c_i\equiv c_{i+P}\pmod 2$ for all $i$, i.e.,
2530: % that the sequence $\{c_i\}$ is periodic with period length $P$. In case
2531: % $P\le 2^m$ this implies $P|2^m$;
2532: % hence $P=2^k$ for suitable $k\le m$. Yet from here it follows that $\sum_{i=0}^{2^m-1}c_i\equiv
2533: % 0\pmod 2$, in contradiction with the condition
2534: % $\sum_{j=0}^{2^m-1}c_j\equiv 1\pmod 2$ of the proposition. Thus,
2535: % it is possible only that $P>2^m$. Yet assuming $P=2^{m+1}$ one has $x_{i+2^m}\equiv
2536: % x_i+\sum_{j=i}^{2^{m+1}-1}c_j\equiv x_i+2\sum_{j=i}^{2^{m+1}-1}c_j\equiv
2537: % x_i\pmod 2$. Hence, $P=2^{m+1}$ is a period length of the sequence $\{x_i\}$; it
2538: % follows that $x_{i+2^m}\equiv x_i+\sum_{j=i}^{2^{m}-1+i}c_j\equiv x_i+1\pmod
2539: % 2$.
2540: %
2541: % Now let the proposition be true for $n=k\ge 1$; let us prove it for $n=k+1$.
2542: % In fact, we have to demonstrate that the order of the permutation
2543: % $(H_j\bmod 2^{k+1})\Wr_{j=0}^{2^m-1}S$ is $2^{m+k+1}$ assuming that the order
2544: % of the permutation $(H_j\bmod 2^{k})\Wr_{j=0}^{2^m-1}S$ is $2^{m+k}$. Thus,
2545: % we only have to demonstrate that the period of the sequence $x_{i+1}=H_i(x_i)\bmod
2546: % 2^{k+1}$ is bigger than $2^k$, i.e., that $x_{i+2^k}\not\equiv x_i\pmod{2^{k+1}}$
2547: % for at least one (equivalently, every) $x_i$. Having this in mind, just calculate
2548: % $x_{i+2^k}\bmod{2^{k+1}}$.
2549: %
2550: % % One has
2551: % % $x_i\equiv x_0+\sum_{j=0}^{i-1}c_j+2\cdot
2552: % % \Big(\sum_{j=0}^{i-1}g_j(x_j+1)-\sum_{j=0}^{i-1}g_j(x_j)\Big)\pmod{2^{k+1}},$
2553: % % thus
2554: % % %\begin{equation}
2555: % % %\label{eq:WP-even}
2556: % % % $x_{2^{m+k}}\equiv x_0+\sum_{j=0}^{2^{m+k}-1}c_j+2\cdot
2557: % % % \Big(\sum_{j=0}^{2^{m+k}-1}g_j(x_j+1)-\sum_{j=0}^{2^{m+k}-1}g_j(x_j)\Big)
2558: % % % \pmod{2^{k+1}}
2559: % % % $, so
2560: % % % %\end{equation}
2561: % % \begin{multline*}
2562: % % x_{2^{m+k}}\equiv x_0+\sum_{j=0}^{2^{m+k}-1}c_j+\\ + 2\cdot
2563: % % \Bigg(\sum_{v=0}^{2^k-1} \Bigg(\sum_{u=0}^{2^{m}-1}g_j(x_{v2^{m}+u}+1)-
2564: % % \sum_{u=0}^{2^{m}-1} g_j(x_{v2^{m}+u})\Bigg)\Bigg)\pmod{2^{k+1}}
2565: % % \end{multline*}
2566: \end{proof}
2567:
2568: Two important notes worth being stated here. The first of them concerns further
2569: generalizations
2570: of proposition \ref{WP-even}
2571: \begin{note}
2572: \label{WP-even-more}
2573: %One of key points of the proof was \eqref{eq:WP-even}. It holds in other
2574: %cases also:
2575: The proof of \ref{WP-even} shows that {\it
2576: %to make
2577: the proposition holds if $H_j$ satisfy
2578: %to make \eqref{eq:WP-even}
2579: %valid
2580: the following conditions: $\sum_{j=0}^{2^m-1}H_j(0)\equiv 1\pmod 2$ and
2581: $\delta_i(H_j(x))\equiv \delta_i(x)+\rho_i(j;x)\pmod 2$ $(i=0,1,2\ldots)$, where the
2582: Boolean polynomial $\rho_i$ in Boolean variables $\delta_r(j)$, $\delta_s(x)$
2583: $(r\in\{0,1,\ldots,m-1\}$, $s\in\{0,1,\ldots, i-1\})$ is of odd weight
2584: for $i>0$} (see the argument proving \eqref{eq:WP-even} and text thereafter).
2585: In oder to satisfy the latter condition of these one can take e.g. $H_j(x)=x+h_j(x)$,
2586: where every $\delta_i(h_j)$ is a Boolean polynomial of even weight in Boolean
2587: variables $\delta_0(x),\ldots,\delta_{i-1}(x)$ \footnote{Such mappings $h_j$
2588: are called {\it even parameters} in \cite{KlSh-2}}.
2589: Also, one can assume in conditions of \ref{WP-even} that, e.g.,
2590: $H_j=(c_j+x)\oplus(2\cdot g_j(x))$ (or $H_j=c_j+x+2\cdot g_j(x)$) for measure
2591: preserving $g_j$, etc.
2592: \end{note}
2593: \begin{exmp*}
2594: {\it Let $H_j(x)=c_j+x+(x^2\vee C_j)$, where $\sum_{j=0}^{2^m-1}c_j\equiv 1\pmod 2$
2595: and $C_j\equiv 7\pmod 8$, then the recurrence sequence defined by
2596: $x_{i+1}= c_{i\bmod 2^m}+x_i+(x_i^2\vee C_{i\bmod 2^m})$ is strictly
2597: uniformly distributed modulo $2^n$}. It is sufficient to note only that $x^2\vee
2598: 7$ is an even parameter, see \cite{KlSh-2}. This example is a variation of
2599: theme of theorem 3 there, which considers similar problem for the sequence
2600: defined by relation $x_{i+1}= (x_i+(x_i^2\vee C_{i\bmod m}))\bmod 2^n$
2601: with odd $m$ (the case when $T$ acts on a set of odd order is discussed below).
2602: \end{exmp*}
2603: The second important note relates wreath products and truncation.
2604: \begin{note}
2605: \label{WP-even-trunc}
2606: From the proof of proposition \ref{WP-even} immediately follows that {\it
2607: each recurrence sequence $\mathcal X_n$ defined by $x_{i+1}=f_{i\bmod 2^m}(x_i)\bmod 2^n$ with
2608: compatible $f_i$ could be
2609: obtained by a truncation of $m$ low order bits of the recurrence sequence
2610: defined by $z_{i+1}=G(z_i)\bmod 2^{n+m}$ for a suitable compatible mapping
2611: $G\colon\mathbb Z_2\rightarrow\mathbb Z\sb 2$}. However, in practice it
2612: could be more convenient to produce the sequence according to the law
2613: $x_{i+1}=f_{i\bmod 2^m}(x_i)\bmod 2^n$ than to the law
2614: $z_{i+1}=G(z_i)\bmod 2^{n+m}$ with further truncation, since the mapping
2615: $G$ could be extremely complicated despite all $f_i$ are relatively simple.
2616: As a bonus we have also that {\it all the results that are established further
2617: in the paper for
2618: truncated congruential generators remain true for generators of form
2619: $x_{i+1}=f_{i\bmod 2^m}(x_i)\bmod 2^n$}.
2620: \end{note}
2621:
2622: Using ideas of proposition \ref{WP-even} it is possible to handle a case
2623: when $T$ acts on a set of odd order.
2624: \begin{prop}
2625: \label{WP-odd}
2626: Let $m>1$ be odd; let, further, $\{f_0,\ldots,f_{m-1}\}$ be a finite sequence of compatible
2627: and ergodic mappings of $\mathbb Z_2$ onto itself, and let
2628: %$T\colon\mathbb Z/m\rightarrow\mathbb Z/m$, $m$ odd,
2629: %be an arbitrary permutation
2630: %with a single cycle,
2631: %let further
2632: $\{d_0,\ldots,d_{m-1}\}$ be a finite sequence of $2$-adic
2633: integers such that
2634: \begin{itemize}
2635: \item $\sum_{j=0}^{m-1}d_j\equiv
2636: 0\pmod 2$, and
2637: \item the sequence
2638: $\{d_{i\bmod m}\bmod 2\colon i=0,1,2,\ldots\}$ is purely periodic
2639: with period length exactly $m$.
2640: \end{itemize}
2641: %let $\{c_0,\ldots,c_{2^m-1}\}$ be a finite sequence
2642: %of $2$-adic integers,
2643: %such that $\sum_{j=0}^{2^m-1}c_j\equiv 1\pmod 2$,.
2644: %{\rm ($f_j$
2645: %are not necessarily pairwise distinct)}.
2646: Put $H_j(x)=d_j\oplus f_j(x)$ {\rm (}respectively, $H_j(x)=d_j+f_j(x)${\rm)}.
2647: %, where $\ast\in\{+,\XOR\}$,
2648: %$j=0,1,2,\ldots,2^m-1$.
2649: Then the wreath product
2650: $(H_j\bmod 2^n)\Wr_{j=0}^{m-1}I$, where $I(j)=(j+1)\bmod m$,
2651: defines a permutation $W\colon\mathbb Z/2^nm\twoheadrightarrow \mathbb Z/2^nm$
2652: with a single cycle.
2653: %according to the folowing rule:
2654: %$$W(x)=(T(x\bmod{m}),f_{T(x\bmod{2^m})}
2655: %\bigg(\Big\lfloor\frac{x}{2^m}\Big\rfloor\bigg);$$
2656:
2657: Moreover, a recurrence sequence $\mathcal W_n=\{x_i\in\mathbb Z/2^n\}$ defined by the relation
2658: $$x_{i+1}=H_{i\bmod m}(x_i)\bmod 2^n$$
2659: is a strictly uniformly distributed
2660: purely periodic sequence with period length exactly $2^nm$ such that
2661: every element of $\mathbb Z/2^n$ occurs at the period exactly $m$ times.
2662: \end{prop}
2663: Obviously, it is sufficient to prove only the second part of the statement.
2664: %Moreover, after proper re-enumeration of $c_0,\ldots,c_{m-1}$ one can assume
2665: %that $T(i)\equiv i+1\pmod m$.
2666: We need the following
2667: \begin{lem}
2668: \label{le:WP-odd}
2669: Let $g_0,\ldots,g_{m-1}$ be a finite sequence of compatible
2670: mappings of $\mathbb Z_2$ onto itself such that
2671: \begin{itemize}
2672: \item $g_j(x)\equiv x+c_j\pmod 2$ for $j=0,1,\ldots,m-1$,
2673: %\item the sequence $\{d_j=(c_j+1)\pmod 2\}$ satisfy conditions of proposition \ref{WP-odd},
2674: \item $\sum_{j=0}^{m-1}c_j\equiv
2675: 1\pmod 2$,
2676: \item the sequence
2677: $\{c_{i\bmod m}\bmod 2\colon i=0,1,2,\ldots\}$ is purely periodic
2678: with period length exactly $m$,
2679: \item $\delta_k(g_j(z))\equiv \zeta_k+\varphi_k^j(\zeta_0,\ldots,\zeta_{k-1})\pmod
2680: 2$, $k=1,2,\ldots$,
2681: where $\zeta_r=\delta_r(z)$, $r=0,1,2,\ldots$,
2682: \item for each $k=1,2,\ldots$ an odd number of Boolean polynomials
2683: $\varphi_k^j(\zeta_0,\ldots,\zeta_{k-1})$
2684: in Boolean variables $\zeta_0,\ldots,\zeta_{k-1}$ are of odd weight.
2685: \end{itemize}
2686: Then a recurrence sequence $\mathcal Y=\{x_i\in\mathbb Z_2\}$ defined by a relation
2687: $x_{i+1}=g_{i\bmod m}(x_i)$ is a strictly uniformly distributed sequence
2688: over $\Z_2$: it is purely periodic modulo $2^k$ for all $k=1,2,\ldots$
2689: with period length exactly $2^km$, and with each element of $\mathbb Z/2^k$ occuring at
2690: the period exactly $m$ times.
2691: Moreover,
2692: \begin{enumerate}
2693: %\item the exact period length of the sequence $\mathcal Y_k$ is $2^km$
2694: %(see definition \ref{def:strict}),
2695: \item $2^{s+1}m$ is a {\rm (not necessarily exact, see definition \ref{def:strict})}
2696: period length of the sequence
2697: $\mathcal D_s=\{\delta_s(x_i)\colon i=0,1,2,\ldots\}$
2698: $(s=0,1,\ldots, k-1)$,
2699: \item $\delta_s(x_{i+2^{s}m})\equiv\delta_s(x_{i})+1\pmod
2700: 2$ for all $s=0,1,\ldots, k-1$, $i=0,1,2,\ldots$,
2701: \item for each $t=1,2,\ldots,k$ and each $r=0,1,2,\ldots$ the sequence
2702: $$x_r\bmod 2^t,x_{r+m}\bmod 2^t,x_{r+2m}\bmod 2^t,\ldots$$
2703: is a purely periodic sequence of period length exactly $2^t$, and each element
2704: of $\mathbb Z/2^t$ occurs at the period exactly once.
2705: \end{enumerate}
2706: \end{lem}
2707: \begin{note*}
2708: In view of \ref{ergBool} the conditions of the lemma imply that all the
2709: mappings $g_j$ preserve measure.
2710: \end{note*}
2711: \begin{proof}[Proof of lemma \ref{le:WP-odd}]
2712: Since every $g_j$ induces a permutation modulo $2^n$ (see \ref{ergBool}),
2713: the wreath product $(g_j\bmod 2^k)\Wr_{j=0}^{m-1}I$
2714: is a permutation $R_k$ on $\mathbb Z/m\times\mathbb Z/2^k$; hence, the recurrence
2715: sequence $\mathcal
2716: Y_k$ defined by a relation $x_{i+1}=g_{i\bmod m}(x_i)\bmod 2^k$
2717: is purely periodic.
2718:
2719:
2720: % We prove the assertion of the lemma in the following (stronger) form. Under
2721: % the conditions of lemma, for all
2722: % $k=1,2,\ldots$:
2723: % %formulate the induction assertion in the following form:
2724: %
2725: % This assertion implies a claim of the lemma:
2726: % a recurrence sequence $\mathcal Y=\{x_i\in\mathbb Z_2\}$
2727: %defined by a relation
2728: %$x_{i+1}=g_{i\bmod m}(x_i)$ is a strictly uniformly distributed sequence
2729: %over $\Z_2$:
2730: % is purely periodic modulo $2^k$ for all $k=1,2,\ldots$
2731: % with period length exactly $2^km$, and each element of $\mathbb Z/2^k$ occuring at
2732: % the period exactly $m$ times.
2733: %
2734: % Indeed,
2735: %
2736: We continue the proof of the lemma with induction on $k$.
2737: For $k=1$ one has
2738: $$x_{i+1}=(c_{i\bmod m}+x_i)\bmod 2,$$
2739: Thus, $x_{i}\equiv x_0+\sum_{j=0}^{i-1}c_{j\bmod m}\pmod 2$, and we have
2740: to calculate an exact length $P$ of a period of a sequence
2741: $b_i=(\sum_{j=0}^{i-1}c_{j\bmod m})\bmod 2$ (see definition \ref{def:strict}). Yet
2742: $0\equiv\sum_{j=i}^{P+i-1}c_{j\bmod m}\pmod 2$ for all $i$; this means
2743: that the sequence
2744: $\mathcal C=\{c_{j\bmod m}\bmod 2\}$ is a linear recurrence
2745: sequence over a field $\mathbb
2746: Z/2$
2747: with characteristic polynomial $1+y+\cdots+y^{P-1}\in(\mathbb Z/2)[y]$
2748: (see e.g. \cite{LinRec} for definitions). Since the latter polynomial is a factor
2749: of a polynomial $y^P-1$, $P$ is a period length of the sequence $\mathcal
2750: C$. Yet $m$ is an exact period length of the sequence $\mathcal
2751: C$, so $m$ must be a factor of $P$. Yet $x_{i+m}\equiv
2752: x_0+\sum_{j=0}^{m-1}c_{j\bmod m}\equiv x_0+1\pmod 2$, and
2753: $x_{i+2m}\equiv
2754: x_0+2\cdot\sum_{j=0}^{m-1}c_{j\bmod m}\equiv x_0\pmod 2$; thus, $P=2m$.
2755: %and $x_{i+m}\equiv x_i+1\pmod 2$ for all $i$.
2756: This proves the lemma for $k=1$, since $\mathcal D_0=\mathcal Y_1$ in this
2757: case.
2758:
2759: % Further, consider a case $k=2$. One has
2760: % $$\chi_1^i\equiv\chi_1^0+\sum_{j=0}^{i-1}
2761: % \varphi_1^j(\chi_0^j)\pmod 2.$$
2762: %
2763: Now let the lemma be true for $k=n$; consider $k=n+1$.
2764: Denote $\delta_n(x_i)=\chi_n^i$, then
2765: \begin{equation}
2766: \label{eq:WP-odd}
2767: \chi_n^i\equiv\chi_n^0+\sum_{j=0}^{i-1}
2768: \varphi_n^j(\chi_0^j,\ldots,\chi_{n-1}^j)\pmod 2.
2769: \end{equation}
2770: Since by the induction hypothesis the period length of the sequence $\mathcal
2771: Y_n$ is exactly $2^nm$,
2772: and since all $g_j$ are compatible, the period length of $\mathcal Y_{n+1}$
2773: is a multiple of $2^nm$; thus only two cases are possible: the exact period length of
2774: $\mathcal Y_{n+1}$ is either $2^{n+1}m$, or it is $2^nm$. We shall prove that the
2775: latter case does not take place. To do this we only have to demonstrate
2776: that $\chi_n^{2^mn}\not\equiv \chi_n^0\pmod 2$.
2777: %So we just calculate $\chi_n^{2^mn}$
2778: %with the use of \eqref{eq:WP-odd}.
2779: In view of the induction hypothesis one has
2780: \begin{multline}
2781: \label{eq:WP-odd-1}
2782: \chi_n^{2^nm+r}\equiv\chi_n^r+\sum_{j=r}^{2^nm-1+r}
2783: \varphi_n^j(\chi_0^j,\ldots,\chi_{n-1}^j)\equiv \\
2784: \chi_n^r+\sum_{j=0}^{m-1}\sum_{z\in\mathbb Z/2^n}\varphi_n^j(\zeta_0,\ldots,\zeta_{n-1})\equiv
2785: \chi_n^r+1 \pmod 2,
2786: \end{multline}
2787: for all $r=0,1,2,\ldots$,
2788: since an odd number of Boolean polynomials $\varphi_n^0,\varphi_n^1,\ldots
2789: \varphi_n^{m-1}$ are of odd
2790: weight. This proves (2) of the lemma's statement; also, as \eqref{eq:WP-odd-1}
2791: implies $\chi_n^{2^mn}\not\equiv \chi_n^0\pmod 2$, the exact period
2792: length of $\mathcal Y_{n+1}$ is $2^{n+1}m$ in view of the above note. Morover,
2793: congruence \eqref{eq:WP-odd-1}
2794: implies $\chi_n^{2^{n+1}m+r}\equiv \chi_n^{r}\equiv\pmod 2$, thus proving
2795: claim (1) of the lemma. Last, by claim (3) of the induction hypothesis
2796: the following string of $2^nm$ numbers
2797: \begin{equation*}
2798: %\label{eq:WP-odd-2}
2799: x_r\bmod 2^n,x_{r+m}\bmod 2^n,x_{r+2m}\bmod 2^n,\ldots,x_{r+(2^n-1)m}\bmod 2^n
2800: \end{equation*}
2801: %is a purely periodic sequence over $\Z/2^n$ of period length exactly $2^n$,
2802: %and each element
2803: %of $\mathbb Z/2^n$ occurs at the period exactly once.
2804: is a permutation of $0,1,2,\ldots,2^n-1$. Hence, all the numbers
2805: %of \eqref{eq:WP-odd-2}
2806: $$x_r,x_{r+m},x_{r+2m},\ldots,x_{r+(2^n-1)m}$$
2807: are pairwise distict modulo $2^{n+1}$. Thus, for each $z\in\{0,1,\ldots,2^n-1\}$
2808: among the numbers
2809: \begin{equation}
2810: \label{eq:WP-odd-3}
2811: x_r,x_{r+m},x_{r+2m},\ldots,x_{r+(2^{n+1}-1)m}
2812: \end{equation}
2813: there exist exactly two numbers (say, $x_u$ and $x_v$) such that $u\ne
2814: v$ and $z\equiv
2815: x_u\equiv x_v\pmod{2^n}$. Thus, $u\equiv v\pmod {2^nm}$ in view of claim
2816: (3) of the induction hypothesis. Hence necessarily $v=u+\cdot 2^nm$. But
2817: then $x_u\not\equiv x_v\pmod{2^{n+1}}$, since $\delta_n(x_v)\equiv\delta_n(x_v)+1\pmod
2818: 2$ in view of \eqref{eq:WP-odd-1}. Thus, all $2^{n+1}$ numbers of \eqref{eq:WP-odd-3}
2819: are pairwise distinct modulo $2^{n+1}$. This proves claim (3) of the lemma.
2820:
2821: Since, as we have already proved, the sequence $\mathcal Y_{n+1}$ is purely
2822: periodic with period length exactly $2^{n+1}m$, a finite sequence
2823: $$x_0\bmod 2^{n+1},x_1\bmod 2^{n+1},\ldots,x_{2^{n+1}-1}\bmod 2^{n+1}$$
2824: is
2825: a period of $\mathcal Y_{n+1}$. But according to already proven claim
2826: (3), among these numbers there exist exactly $m$ numbers that are congruent
2827: to $z$ modulo $2^{n+1}$ for each given $z\in\{0,1,\ldots,2^{n+1}-1\}$.
2828: %The same argument proves that
2829: % \begin{multline}
2830: % \label{eq:WP-odd-1}
2831: % \chi_n^{2^nm}\equiv\chi_n^0+\sum_{j=0}^{2^nm-1}
2832: % \varphi_n^j(\chi_0^j,\ldots,\chi_{n-1}^j)\equiv \\
2833: % \chi_n^0+\sum_{j=0}^{m-1}\sum_{z\in\mathbb Z/2^n}\varphi_n^j(\zeta_0,\ldots,\zeta_{n-1})\equiv
2834: % \chi_n^0+1 \pmod 2,
2835: % \end{multline}
2836: This completes the proof of the lemma.
2837: \end{proof}
2838: \begin{note*} Nowhere in the proof of lemma \ref{le:WP-odd} we used that
2839: $m$ is odd. Hence, the lemma holds for arbitrary, and not necessarily odd $m>1$.
2840: \end{note*}
2841: \begin{proof}[Proof of proposition \ref{WP-odd}.]
2842: The proof of proposition \ref{WP-odd} for a case $H_j(x)=d_j\oplus f_j(x)$
2843: is now obvious in view of
2844: %we only need to demonstrate
2845: %that $H_j$ satisfy the conditions of lemma \ref{le:WP-odd}. In view of
2846: \ref{ergBool} and lemma \ref{le:WP-odd}: Note only that the sequence $\{d_j+1\:
2847: j=0,1,2,\ldots\}$ satisfies conditions of the lemma.
2848: %this is obvious in case $\ast=\XOR$,
2849: So to finish the proof we only have to consider
2850: a case $H_j=d_j+f_j(x)$.
2851:
2852: The proof in the latter case goes along the lines similar to those of lemma \ref{le:WP-odd}.
2853: Namely, for $n=1$ one has $x_{i+1}=(d_{i\bmod m}+x_i+1)\bmod 2$,
2854: since every ergodic mapping modulo $2$ is equivalent to the mapping $x\mapsto
2855: x+1$, see \ref{Delta};
2856: so putting $c_i=d_i+1$ returns us to the situation of lemma \ref{le:WP-odd}
2857: whenever $n=1$.
2858: %$x_{i}\equiv x_0+\sum_{j=0}^{i-1}d_{j\bmod m}\pmod 2$. Yet the period
2859:
2860: Assuming the proposition is true for $n=k$ prove it for $n=k+1$.
2861: In view of \ref{ergBool} we have that for $s>0$
2862: $$\delta_s(H_j(x))\equiv \chi_s+(d_j+1)\chi_0\cdots\chi_{s-1}+
2863: \psi_s^j(\chi_0,\ldots,\chi_{s-1})\pmod 2,$$
2864: where $\deg \psi_s^j<s$ (this congruence could be easily proved by induction
2865: on $s$: the coefficient of the monomial $\chi_0\cdots\chi_{s-1}$ in the
2866: Boolean polynomial that represents a carry to $s$\textsuperscript{th} digit
2867: is $\delta_0(d_j)$). Thus, for $k\ge 1$ one obtains
2868: \begin{multline*}
2869: \chi_k^{2^km}\equiv\chi_k^0
2870: +\sum_{j=0}^{2^km-1}(d_{j\bmod m}+1)\chi_0^j\cdots\chi_{k-1}^j
2871: +\sum_{j=0}^{2^km-1}
2872: \psi_k^j(\chi_0^j,\ldots,\chi_{k-1}^j)\equiv \\
2873: \chi_k^0+
2874: \sum_{j=0}^{m-1}(d_j+1)\sum_{z\in\mathbb Z/2^k}\zeta_0\cdots\zeta_{k-1}+
2875: \sum_{j=0}^{m-1}\sum_{z\in\mathbb Z/2^k}\psi_k^j(\zeta_0,\ldots,\zeta_{k-1})\equiv\\
2876: \chi_k^0+1 \pmod 2,
2877: \end{multline*}
2878: since all Boolean polynomials $\psi_k^j(\zeta_0,\ldots,\zeta_{k-1})$ are
2879: of even weight. This completes the proof of the proposition.
2880: \end{proof}
2881: \begin{exmp*}
2882: %\label{ex:KlSh-2}
2883: A mapping $g_j(x)=x+(x^2\vee C_j)$ is ergodic
2884: iff $\delta_0(C_j)=1$ and $\delta_2(C_j)=1$ (see \ref{KlSh-3}). Let
2885: a sequence $\{d_j\colon j=0,1,2,\ldots\}$ satisfy conditions of proposition
2886: \ref{WP-odd}.
2887: Then the sequence $\{x_{i+1}=x_i+d_i+(x_i^2\vee C_i)\bmod 2^n\colon i=0,1,2,\ldots\}$
2888: is purely periodic modulo $2^k$ for all $k=1,2,\ldots$
2889: with period length $2^km$, and each element of $\mathbb Z/2^k$ occurs at
2890: the period exactly $m$ times.
2891:
2892: This is another variation of theme of \cite[Theorem 3]{KlSh-2}. Note that
2893: we prove a somewhat stronger claim: Not only a sequence of pairs $(y_i,
2894: x_i)$ defined by $y_{i+1}=(y_i+1)\bmod m$; $x_{i+1}=(x_i+d_i+(x_i^2\vee C_{y_i}))\bmod 2^n$
2895: is periodic with period length $2^nm$, yet the period length of the sequence
2896: $\{x_i\}$ is $2^nm$. The latter could never be achieved under the conditions
2897: of Theorem 3 of \cite{KlSh-2}: They imply that the period length of the
2898: sequence $\{x_i\pmod 2\}$ is $2$, and not $2m$.
2899: \end{exmp*}
2900: \begin{note*}
2901: Obviously, after corresponding restatement proposition \ref{WP-odd}, as
2902: well as lemma \ref{le:WP-odd}, remain true
2903: for arbitrary permutation $I\colon\mathbb Z/m\twoheadrightarrow\mathbb Z/m$
2904: with a single cycle.
2905: \end{note*}
2906: In connection with proposition \ref{WP-odd} there arises a natural
2907: question: how to construct a sequence $\{d_j\}$ that satisfies its conditions?
2908: %Obviously, this could be done in various ways, but here we note only two of them.
2909: \begin{prop}
2910: \label{prop:WP-odd:constr}
2911: Let $m>1$ be odd, and let $u\:\Z/m\>\Z/m$ be an arbitrary permutation with a
2912: single cycle. Choose
2913: arbitrary $z\in\Z/m$ and
2914: set $d_{i}=u^{(i)}(z)\bmod m$, if $m\equiv 1\pmod 4$, or
2915: set $d_{i}=(u^{(i)}(z)+1)\bmod m$ otherwise $(i=0,1,2,\ldots)$. Then
2916: the sequence $\mathcal D=\{d_i\}$ satisfies conditions
2917: of proposition \ref{WP-odd}: that is, $\mathcal D$ is purely periodic with
2918: period length exactly $m$, and $\sum_{j=0}^{m-1}d_j\equiv 0\pmod 2$.
2919: % \begin{enumerate}
2920: % \item Let $u\:\Z/m\>\Z/m$ be an arbitrary compatible permutation with a
2921: % single cycle {\rm (note: these mappings could be constructed with the use of
2922: % \ref{ergPolGen}, \ref{ergAn}, \ref{ergAnGen}, and \ref{Delta})}; choose
2923: % arbitrary $z\in\Z/m$ and
2924: % set $d_{i}=u^{(i)}(z)\bmod m$, if $m\equiv 1\pmod 4$, or
2925: % set $d_{i}=(u^{(i)}(z)+1)\bmod m$ otherwise $(i=0,1,2,\ldots)$.
2926: % \item Let $m=2^k-1$; take $D$ a linear recurrence sequence
2927: % over $\Z/2$ of period length $m$ {\rm(note: often sequences of this kind could
2928: % be constructed with the use of $\XOR$'s and left-right shifts only, see \cite{Mars})}.
2929: % \end{enumerate}
2930: % The sequence of rational integers $d_j\in \mathbb Z$ that satisfies conditions
2931: % of proposition \ref{WP-odd} could be constructed with the use of ergodic
2932: % mappings of $\mathbb Z_p$ for odd $p$. Since $m$ is odd, then $\sum_{i=0}^mi\equiv
2933: % 0\pmod 2$ iff $m\equiv 1\pmod 4$. Thus, one can take a sequence $d_{i+1}=u(d_i)\bmod
2934: % m$ in case $m\equiv 1\pmod 4$ (or a sequence $d_j+1$ for $d_{i+1}=u(d_i)\bmod
2935: % m$ otherwise), where $u\colon\mathbb Z_p\rightarrow\mathbb Z_p$ is an ergodic mapping
2936: % for each prime factor $p$ of $m$ and $u$ induces a compatible mapping
2937: % modulo $m$. Such mappings $u$ could be constructed with the use of e.g.
2938: % \ref{ergPolGen} and \ref{Delta}.
2939: \end{prop}
2940: \begin{proof}
2941: Obviously, the sequence $\mathcal D$ is purely periodic. Let $P$
2942: be the period length of $\mathcal D$. Thus, $P$ is a factor
2943: of $m$.
2944: Note that since $m=2s+1$, exactly $s$ numbers of $0,1,\ldots,m-1$ are odd.
2945: Denote $r_0$ (respectively, $r_1$) the number of even (respectively,
2946: odd) numbers at the period of $\mathcal D$: so $\frac{m}{P}r_1=s$, and
2947: $\frac{m}{P}r_0=s+1$. Thus, $\frac{m}{P}(r_0-r_1)=1$; hence $\frac{m}{P}=1$.
2948: So, the period length of $\mathcal D$ is exactly $m$. The result now follows
2949: since $\sum_{i=0}^{m-1}i\equiv 0\pmod 2$ iff $s\equiv 0\pmod 2$.
2950: \end{proof}
2951: \begin{note}
2952: \label{note:WP-odd:constr}
2953: Thus, to construct a sequence $\{d_j\}$ of proposition \ref{WP-odd} it
2954: is sufficient to construct a permutation with a single cycle modulo $m$.
2955: Of course, this could be done in various ways, depending on extra conditions
2956: the whole generator should satisfy. For instance, if one intends to use maximum
2957: of memory calls instead of computations on the fly,
2958: he can merely take an arbitrary array of $\{0,1,\ldots, m-1\}$ in arbitrary
2959: order.
2960: On the contrary, if one needs to produce $d_j$ on the fly, he could
2961: construct a corresponding generator modulo $m$ with a compatible state transition
2962: function and a bijective modulo $m$ output function. This could be done e.g.
2963: with the use of
2964: \ref{ergPolGen}, \ref{ergAn}, \ref{ergAnGen}, and \ref{Delta}.
2965: In case
2966: $m=2^k-1$ an alternative
2967: way is to use linear recurrence sequences of maximum period over $\Z/2$:
2968: note that often sequences of this kind could be constructed with the use
2969: of $\XOR$'s and left-right shifts only, see e.g. \cite{Mars}.
2970: \end{note}
2971:
2972:
2973: The above results of this subsection show how to construct a sequence $x_{i+1}=f_{i\bmod
2974: m}(x_i)\bmod 2^n$ of maximum period length $2^nm$ in two cases: when $m$
2975: is odd, and when $m=2^k$. Now we consider a general case of arbitrary $m>1$.
2976: %The main technical tool is the following
2977: \begin{thm}
2978: \label{thm:WP}
2979: Let $\mathcal G=\{g_0,\ldots,g_{m-1}\}$ be a finite sequence of
2980: compatible measure preserving
2981: mappings of $\mathbb Z_2$ onto itself such that
2982: \begin{enumerate}
2983: \item the sequence $\{(g_{i\bmod m}(0))\bmod 2\colon i=0,1,2,\ldots\}$ is a
2984: purely periodic sequence with period length exactly $m$;
2985: \item $\sum_{i=0}^{m-1}g_i(0)\equiv 1\pmod 2$;
2986: \item $\sum_{j=0}^{m-1}\sum_{z=0}^{2^k-1}g_j(z)\equiv 2^{k}\pmod {2^{k+1}}$
2987: for all $k=1,2,\ldots$ .
2988: \end{enumerate}
2989: Then the recurrence sequence $\mathcal Z$ defined by the relation $x_{i+1}=g_{i\bmod
2990: m}(x_i)$ is strictly uniformly distributed modulo $2^n$ for all $n=1,2,\ldots:$
2991: i.e., modulo each $2^n$ it is a purely periodic sequence with
2992: period length exactly
2993: $2^nm$ and with each element of $\mathbb Z/2^n$ occuring at the period
2994: exactly $m$ times.
2995: \end{thm}
2996: \begin{note*}
2997: Since in view of \ref{ergBool}
2998: a compatible mapping $g_i\colon\mathbb Z_2\rightarrow\mathbb Z_2$ preserves
2999: measure iff
3000: $$\delta_k(g_i(x))\equiv \chi_k+\varphi_k^i(\chi_0,\ldots,\chi_{k-1})\pmod
3001: 2,$$
3002: where $\chi_s=\delta_s(x)$ $(s=0,1,2,\ldots)$, the {\it condition } (3)
3003: {\it of theorem \ref{thm:WP} could be replaced by the equivalent condition
3004: $$\sum_{j=0}^{m-1}\wt\varphi_k^j\equiv 1\pmod 2 \qquad (k=1,2,\ldots),$$}
3005: where $\wt\varphi_k^j$ is a weight of the Boolean polynomial $\varphi_k^j$
3006: in variables $\chi_0,\ldots,\chi_{k-1}$. In turn, since for every Boolean
3007: polynomial $\varphi$ in variables $\chi_0,\ldots,\chi_{k-1}$ holds $\wt\varphi\equiv
3008: \Coef_{0,\ldots,k-1}(\varphi)\pmod 2$, where $\Coef_{0,\ldots,k-1}(\varphi)$
3009: stands for a coefficient of the monomial $\chi_0\cdots\chi_{k-1}$ in the
3010: Boolean polynomial $\varphi$, the {\it latter condition could be also replaced
3011: by
3012: $$\sum_{j=0}^{m-1}\Coef_{0,\ldots,k-1}(\varphi_k^j)\equiv 1\pmod 2 \qquad (k=1,2,\ldots),$$
3013: or by
3014: $$\sum_{j=0}^{m-1}\bigg\lfloor\frac{\deg\varphi_k^j}{k}\bigg\rfloor\equiv 1\pmod {2} \qquad (k=1,2,\ldots).$$}
3015: \end{note*}
3016: \begin{proof}[Proof of theorem \ref{thm:WP}.]
3017: Practically everything is already done during the proof of \ref{le:WP-odd}:
3018: we just note that congruence \eqref{eq:WP-odd-1} now holds in view of condition
3019: (3) of the theorem.
3020: \end{proof}
3021: \begin{note*} For $m=1$ theorem \ref{thm:WP} turns into ergodicity criterion
3022: \ref{ergBool}: so theorem \ref{thm:WP} could be considered as a generalization
3023: of this criterion.
3024: \end{note*}
3025: Theorem \ref{thm:WP} is our main technical tool in constructing automata with
3026: strictly uniformly
3027: distributed recurrence sequences $x_{i+1}=f_i(x_i)$ of internal
3028: states outputting strictly uniformly distributed sequences
3029: of the form $F_0(x_0), F_1(x_1),\ldots$ .
3030: The above mentioned results (e.g. \ref{WP-even-more}and \ref{WP-odd}) could
3031: be derived from theorem \ref{thm:WP}, as well as new results for even $m$ that is
3032: not power of 2 could also be obtained with the use of it:
3033: \begin{exmp*}
3034: For instance, take odd $s$, $1\le s<m$, and take $s$ arbitrary compatible and ergodic
3035: mappings $g_j\colon\mathbb Z_2\rightarrow\mathbb Z_2$, $(j=0,1,\ldots,s-1)$.
3036: Take $m-s$ arbitrary compatible and measure preserving mappings
3037: $h_k\colon\mathbb Z_2\rightarrow\mathbb Z_2$, and
3038: set $g_k(x)=x\oplus 2h_k(x)$ $(k=s,s+1,\ldots,m-1)$. Then in view of \ref{ergBool}
3039: it is easy to see that a finite sequence $\{g_i\colon i=0,1,\ldots, m-1\}$
3040: satisfies conditions of theorem \ref{thm:WP}, and thus the recurrence sequence
3041: $x_{i+1}=g_{i\bmod m}(x_i)$ is strictly uniformly distributed modulo $2^n$
3042: for all $n=1,2,\ldots$ .
3043: \end{exmp*}
3044: \begin{note}
3045: \label{note:halfper-odd}
3046: During the proof of theorem \ref{thm:WP} and of lemma \ref{le:WP-odd}
3047: %proposition \ref{WP-odd} and lemma \ref{le:WP-odd}
3048: we have demonstrated that {\it every
3049: $j$\textsuperscript{th} coordinate sequence $\mathcal D_j=\{\delta_j(x_i)\colon i=0,1,2,\ldots\}$
3050: $(j=0,1,2,\ldots)$
3051: is a purely periodic binary sequence of period length $2^{j+1}m$, and the
3052: second half of the period is a bitwise negation of the first half}: $\delta_j(x_{i+2^jm})\equiv
3053: \delta_j(x_i)+1\pmod 2$, $i=0,1,2,\ldots$ (see claims (1)--(2) of
3054: lemma \ref{le:WP-odd}). Note, however, that {\slshape
3055: the exact
3056: period length $P$ of the sequence
3057: $\{\delta_j(x_i)\colon i=0,1,2,\ldots\}$ could actually be less than $2^{j+1}m$},
3058: i.e., $P\big|2^{j+1}m$, yet not necessarily $P=2^{j+1}m$ (however, $P$
3059: is always a multiple of $2^{j+1}$, see \ref{thm:lincomp:sharp}). Indeed, the sequence
3060: $101010\ldots$ is a purely periodic sequence with period $10$ of length $2$; at
3061: the same time it could be considered as a purely periodic sequence with
3062: period $101010$ of length $6$. Note that in both cases the second half
3063: of the period is a bitwise negation of its first half. Such an effect could
3064: never occur for $j=0$, since $\mathcal D_0=\mathcal Y_1$, and the latter
3065: sequence has period length exactly $2m$ in view of lemma \ref{le:WP-odd}.
3066: However, this effect could occur for senior coordinate sequences. For instanse,
3067: let $\mathcal D_0$ be a purely periodic sequence with period $111000$;
3068: let $\mathcal D_1$ be a purely periodic sequence with period $110011001100$.
3069: The exact period length of $\mathcal D_1$ is $4$; yet it could be considered
3070: as a sequence of period $12$, and the second half of the period is a bitwise
3071: negation of the first half. The sequence $\mathcal Y_2$ in this case is
3072: a purely periodic sequence with period $331022113200$. It is not difficult
3073: to demonstrate that this sequence $\mathcal Y_2$ satisfy lemma \ref{le:WP-odd},
3074: i.e., one could construct mappings $g_0,g_1,g_2$ satisfying the lemma,
3075: such that outputted sequence $\mathcal Y_2$
3076: is our sequence with period $331022113200$. A characterization
3077: of possible
3078: output sequences is given by theorem \ref{thm:WP:AnyHalfPer} further.
3079: \end{note}
3080:
3081: % This note \ref{note:halfper-odd} is important for
3082: % calculation of linear complexity of the sequence
3083: % $\{\delta_j(x_i)\colon i=0,1,2,\ldots\}$ further in Section
3084: % \ref{sec:Prop}. Yet now we apply it to prove the following
3085: Finally we consider a case of wreath products of automata with non-identity
3086: output functions.
3087: \begin{cor}
3088: \label{cor:WP}
3089: Let a finite sequence of mappings $\{f_0,\ldots,f_{m-1}\}$ of $\mathbb
3090: Z_2$ into itself satisfy conditions
3091: of theorem \ref{thm:WP}, and let $\{F_0,\ldots,F_{m-1}\}$ be an arbitrary
3092: finite sequence of equiprobable {\rm (}and not necessarily compatible{\rm
3093: )} mappings of $\mathbb Z/2^n$ $(n\ge 1)$ onto $\mathbb
3094: Z/2^k$, $1\le k\le n$. Then the sequence
3095: $\mathcal F=\{F_{i\bmod m}(x_i)\colon i=0,1,2\ldots\}$, where $x_{i+1}=f_{i\bmod m}(x_i)\bmod
3096: 2^n$, is strictly uniformly distributed over $\mathbb Z/2^k:$ It is purely
3097: periodic with period length $2^nm$, and each element of $\mathbb Z/2^k$
3098: occurs at the period exactly $2^{n-k}m$ times.
3099: \end{cor}
3100: % To prove the corollary we need the following lemma, which is
3101: % of independent interest also.
3102: % \begin{lem}
3103: % \label{le:cor:WP}
3104: % Let
3105: % %$\{f_0,\ldots,f_{m-1}\}$ and
3106: % $\{x_i\colon i=0,1,2,\ldots\}$
3107: % be a sequence of the statement of corollary \ref{cor:WP}.
3108: % Then each subsequence $\{x_{i+mj}\colon j=0,1,2,\ldots\}$ is strictly uniformly
3109: % distributed modulo $2^n$ for all $n=1,2,\ldots:$ it is purely periodic
3110: % modulo $2^n$ with period length exactly $2^n$ and with each element of
3111: % $\mathbb Z/2^n$ occuring at the period exactly once.
3112: % \end{lem}
3113: % \begin{proof}[Proof of lemma \ref{le:cor:WP}.]
3114: % Induction on $n$. For $n=1$ see \ref{note:halfper-odd}. Let the lemma be
3115: % true for $n=k\ge 1$; prove it for $n=k+1$. By theorem \ref{thm:WP},
3116: % $x_s\equiv x_t\pmod{2^k}$
3117: % whenever $s\equiv t\pmod{2^km}$. However, if $t=s+2^km$, then
3118: % $\delta_k(x_{t})\equiv
3119: % \delta_k(x_s)+1\pmod 2$ in view of \ref{note:halfper-odd}. Application
3120: % of induction hypothesis completes the proof of the lemma.
3121: % \end{proof}
3122: \begin{proof}
3123: %[Proof of corollary \ref{cor:WP}.]
3124: Obvious: combine claim (3) of lemma
3125: \ref{le:WP-odd} and proposition \ref{prop:Auto}.
3126: \end{proof}
3127:
3128: Note that the results of this subsection could be extended to cover the
3129: case $p$ odd, that is, to the case of wreath products of the form
3130: $H_j\Wr_{j=0}^{p^m-1}T$, where $T\:\Z/p^m\>\Z/p^m$ (and even for
3131: $H_j\Wr_{j=0}^{m-1}T$, where $T\:\Z/m\>\Z/m$, $m>1$ arbitrary rational
3132: integer). This case is also of cryptographic importance: the corresponding
3133: techniques could be used e.g. to construct sequences of type $\mathcal D$
3134: of proposition \ref{prop:WP-odd:constr}. However, this is an issue of a
3135: forthcoming paper.
3136: \subsection*{Equalizing period lengths of coordinate sequences.} All the
3137: generators with the identity output function considered above
3138: demonstrate a property, which is already mentioned at the beginning
3139: this section, and
3140: which in loose terms could
3141: be stated as follows: {\slshape Less significant
3142: bits of output have smaller periods}. To be more exact, despite
3143: for any of these automata the corresponding
3144: output sequence $\mathcal S=\{s_0,s_1,\ldots\}$
3145: over $\Z/2^n$
3146: is always purely periodic
3147: of period length exactly $2^n\ell$ (where $\ell=2^m$ for sequences outputted
3148: by wreath products of automata described
3149: by \ref{WP-even} or \ref{WP-even-trunc}, $\ell=m$ in case the wreath products
3150: are of \ref{WP-odd}, \ref{le:WP-odd},
3151: or \ref{thm:WP}, and $\ell=1$ for congruential
3152: generators of a maximum period length), the $j$\textsuperscript{th} coordinate
3153: sequence $\delta_j(\mathcal S)=\{\delta_j(s_0),\delta_j(s_1),\ldots\}$ could
3154: be of smaller period length (see e.g. note \ref{note:halfper-odd} above).
3155: In fact, as it is shown further, the exact period length of the $j$\textsuperscript{th} coordinate
3156: sequence of congruential generator of a maximum period length is $2^{j+1}$
3157: (see \ref{halfper}); it is a factor of $2^{j+1}\ell$ and a multiple of
3158: (which is possibly equal to) $2^{j+1}$
3159: for wreath products of generators (see \ref{thm:lincomp:sharp}). So only senior
3160: coordinate sequence $\delta_{n-1}(\mathcal S)$ may achieve exact period
3161: length $2^n\ell$; at least, the exact period length of it is not less than
3162: $2^n$.
3163: Nothing more could be said either if we use general non-identity equiprobable
3164: output
3165: functions (see \ref{prop:Auto} and \ref{cor:WP}). However, such a ``disbalance"
3166: of periods could be cured if we apply non-identity output functions in some
3167: special way.
3168:
3169: Namely, let $\pi=\pi_n^1$ be a bit order reversing permutation on $\Z/2^n$,
3170: which was defined in section \ref{Prelm}, and let $h_i$ $(i=0,2,\ldots,m-1)$
3171: be compatible and ergodic mappings of $\Z_2$ onto itself. Then the composition
3172: $F_i(x)\colon x\mapsto (h_i(\pi(x)))\bmod 2^n$ $(x\in\{0,1,\ldots,2^n-1\})$
3173: is a bijective mapping of $\Z/2^n$ onto itself. We argue that if we take
3174: $F_i$ as an output function, then the sequence $\mathcal F$ of \ref{cor:WP}
3175: is free of less significant bit effect mentioned above. To be more exact,
3176: the following proposition holds:
3177: \begin{prop}
3178: \label{prop:reverse}
3179: Let $h_i$, $i=0,1,2,\ldots,m-1$,
3180: be compatible and ergodic mappings of $\Z_2$ onto itself. Define
3181: $F_i\colon\Z/2^n\>\Z/2^n$ by
3182: $F_i(x)=(h_i(\pi(x)))\bmod 2^n$ $(x\in\{0,1,\ldots,2^n-1\})$,
3183: where $\pi=\pi_n^1$ is a bit order reversing permutation on $\Z/2^n$ {\rm(see
3184: Section \ref{Prelm} for the definition of the latter)}. Consider
3185: a sequence $\mathcal F$ over $\Z/2^n$ defined in \ref{cor:WP}.
3186: Then the exact period length of the $j$\textsuperscript{th}
3187: coordinate sequence $\delta_j(\mathcal F)$ $(j=0,1,2,\dots,n-1)$
3188: %of the sequence $\mathcal F$ of \ref{cor:WP},
3189: is $2^nk_j$, where $1\le k_j\le\ell$.
3190:
3191: Moreover, the same holds if $m=1$
3192: {\rm (}and whence $\ell=1${\rm )}, i.e., when $\mathcal F$ is an output
3193: sequence of the automaton ${\mathfrak A}=\langle N,M,\bar f,F,u_0\rangle $,
3194: where $N=M=\Z/2^n$, $\bar f=f\bmod 2^n$, $f$ and $h$ are compatible
3195: and ergodic mappings of $\Z_2$ onto itself,
3196: $F(x)=(h(\pi(x)))\bmod 2^n$, $x\in\{0,1,\ldots,2^n-1\}${\rm :} The exact period length of the $j$\textsuperscript{th}
3197: coordinate sequence $\delta_j(\mathcal F)$ is $2^n$ for all $j=0,1,2,\dots,n-1$.
3198: \end{prop}
3199: \begin{note*} Hence, $\mathcal F$ is a purely periodic sequence of period
3200: length exactly $2^nm$, and with each element of $\Z/2^n$ occuring at the
3201: period exactly $m$ times (see \ref{cor:WP},\ref{prop:Auto}).
3202: \end{note*}
3203: To prove this proposition we need the following easy
3204: \begin{lem}
3205: \label{le:reverse}
3206: Let $\mathcal X=\{x_i\: i=0,1,2,\dots\}$ and $\mathcal Y=\{y_i\: i=0,1,2,\dots\}$ be purely periodic
3207: sequences
3208: over $\Z/2$ with exact period lengths $2^u$ and $2^v$, respectively, and
3209: let $u>v$. Then the sequence
3210: $\mathcal X\oplus\mathcal Y=\{x_i\oplus y_i\: i=0,1,2,\dots\}$ is purely
3211: periodic with period length exactly $2^u$.
3212:
3213: If, additionally, $x_{i+2^{u-1}}\equiv x_i+1\pmod 2$ for all $i=0,1,2,\ldots$,
3214: and if $\mathcal Y$ is a non-zero sequence, then the sequence
3215: $\mathcal X\odot\mathcal Y=\{x_i\cdot y_i\: i=0,1,2,\dots\}$ is
3216: purely periodic with period length exactly
3217: $2^u$.
3218: \end{lem}
3219: \begin{proof}[Proof of lemma \ref{le:reverse}.]
3220: The first assertion of the lemma is obvious. To prove the second one assume
3221: $P$ is the exact period length of the sequence $\{x_i\cdot y_i\: i=0,1,2,\dots\}$.
3222: Then $P=2^s$ for suitable $s\le u$. Yet if $s<u$, then
3223: $x_{i+2^{u-1}}\cdot y_{i+2^{u-1}}\equiv x_i\cdot y_i\pmod 2$ for all $i=0,1,2,\ldots$;
3224: thus $(x_i+1)\cdot y_i\equiv x_i\cdot y_i\pmod 2$ and hence $y_i\equiv 0\pmod
3225: 2$ for all $i=0,1,2,\ldots$. A contradiction.
3226: \end{proof}
3227: \begin{proof}[Proof of proposition \ref{prop:reverse}.] In view of assertions
3228: (2) and (3) of lemma \ref{le:WP-odd}, each subsequence
3229: $\mathcal F(r)=\{z_{r+tm}\:t=0,1,2,\ldots\}$, $r=0,1,\ldots,m-1$, of the
3230: sequence $\mathcal F=\{z_i\:i=0,1,2,\ldots\}$ satisfies the following condition:
3231: Each coordinate sequence $\delta_j(\mathcal F(r))$ is a purely periodic
3232: sequence of period length exactly $2^{j+1}$, and the second half of the
3233: period is a bitwise negation of the first half, i.e., $\delta_j(z_{r+(t+2^j)m})\equiv
3234: \delta_j(z_{r+tm})+1\pmod 2$ for all $t=0,1,2,\ldots$. Thus, in view of
3235: theorem \ref{AnyHalfPer}, which is proved further, the sequence $\mathcal F(r)$
3236: is an output sequence of a suitable automaton $\mathfrak B=\langle \Z_2,\Z/2^n,f,\bmod
3237: 2^n,z_r\rangle$, where $f$ is a compatible and ergodic mapping of $\Z_2$
3238: onto itself. Thus, the first assertion of the proposition follows from
3239: the second one, i.e., it is sufficient to consider only a case $m=1$.
3240:
3241: Now represent $h$ in a Boolean form according to \ref{ergBool}. So,
3242: $$\delta_j(h(x))\equiv \chi_j+\varphi_j(\chi_0,\ldots,\chi_{j-1})\pmod 2,$$
3243: where $\chi_k=\delta_k(x)$, and $\varphi_j$ is a Boolean polynomial of odd
3244: weight in Boolean variables $\chi_0,\ldots,\chi_{j-1}$ for $j>0$, $\varphi_0=1$.
3245: Note that for $j>0$
3246: \begin{multline}
3247: \label{eq:reverse}
3248: \delta_j(h(x))\equiv \chi_j+\chi_0\cdot\chi_1\cdots\chi_{j-1}+
3249: \psi_j(\chi_0,\ldots,\chi_{j-1})\equiv \\
3250: \chi_j+\chi_0\cdot\alpha_j(\chi_1,\ldots,\chi_{j-1})+\beta_j(\chi_1,\ldots,\chi_{j-1})
3251: \pmod 2,
3252: \end{multline}
3253: where $\psi_j,\alpha_j,\beta_j$ are Boolean polynomials of corresponding
3254: Boolean variables, and $\deg\psi_j<j$, so $\alpha_j$ is a non-zero polynomial.
3255:
3256: For binary sequences $\mathcal U, \mathcal V, \mathcal W, \ldots$ (which
3257: could be treated as $2$-adic integers) and a Boolean polynomial
3258: $\gamma(\upsilon,\nu,\omega,\ldots)$ of Boolean variables $\upsilon,\nu,\omega,\ldots$
3259: denote $\gamma(\mathcal U, \mathcal V, \mathcal W, \ldots)$ a binary sequence
3260: $\mathcal S$ (thus, a $2$-adic integer) such that
3261: $$\delta_j(\mathcal S)\equiv
3262: \gamma(\delta_j(\mathcal U),\delta_j(\mathcal V),\delta_j(\mathcal W),\ldots)\pmod2,$$
3263: for all $j=0,1,2,\ldots$. Loosely speaking, we just substitute, respectively,
3264: $\XOR$
3265: and $\AND$ for $+$ and $\cdot$ in the Boolean polynomial $\gamma$ and let
3266: variables $\upsilon,\nu,\omega,\ldots$ run through the space $\Z_2$ of
3267: $2$-adic integers. Thus we obtain a well defined multivariate function $\gamma$
3268: on $\Z_2$ valuated in $\Z_2$. Since there is a natural one-to-one correspondence
3269: between infinite binary sequences and $2$-adic integers, the sequence
3270: $\gamma(\mathcal U, \mathcal V, \mathcal W, \ldots)$ is well defined. Note
3271: also that treating binary sequences as $2$-adic integers enables one to
3272: produce infinite sequences of $n$-bit rational integers out of $n$ infinite binary sequences
3273: in an obvious manner: Say, $\mathcal U+2\cdot\mathcal V+4\mathcal W$ is a
3274: sequence $\mathcal N=\{n_0,n_1,\ldots\in\N_0\}$ such that $n_j=\delta_j(\mathcal
3275: U)+2\cdot\delta_j(\mathcal V)+4\cdot\delta_j(\mathcal W)$ for $j=0,1,2\ldots$.
3276: For instance, if $\mathcal U=101\ldots$, $\mathcal V=110\ldots$, and
3277: $\mathcal W=010\ldots$, then $\mathcal N=361\ldots$ is a sequence over
3278: $\{0,1,\ldots,7\}=\Z/8$.
3279:
3280: Proceeding with these conventions, let $\mathcal C_j$ (respectively, $\mathcal D_j$) be the $j$\textsuperscript{th} output sequence of the
3281: automaton $\mathfrak B$ (respectively, $\mathfrak A$). Let $\mathcal E=111\ldots$. Then in view of
3282: \eqref{eq:reverse} one has:
3283: \begin{gather*}
3284: \mathcal D_0=\mathcal C_{n-1}\oplus \mathcal E;\\
3285: \mathcal D_1=\mathcal C_{n-2}\oplus\mathcal C_{n-1}\oplus \mathcal B;\\
3286: \mathcal D_j=\mathcal C_{n-j-1}\oplus\mathcal C_{n-1}\odot
3287: \alpha_j(\mathcal C_{n-2},\ldots,\mathcal C_{n-j})\oplus
3288: \beta_j(\mathcal C_{n-2},\ldots,\mathcal C_{n-j})\qquad(j\le 2),
3289: \end{gather*}
3290: where $\mathcal B=\beta_1\beta_1\beta_1\ldots$ is a constant binary sequence.
3291: Note that $\mathcal C_i$ is purely periodic
3292: binary sequence of period length exactly $2^{i+1}$, and the second half
3293: of the period is a bitwise negation of the first half, see \ref{halfper}
3294: further. This completes the proof
3295: of proposition \ref{prop:reverse}
3296: in view of lemma \ref{le:reverse} and conventions made above, if we prove
3297: that the sequence
3298: $\alpha_j(\mathcal C_{n-2},\ldots,\mathcal C_{n-j})$, $2\le j\le n-1$,
3299: is a non-zero binary
3300: sequence.
3301:
3302: Consider a sequence
3303: $\mathcal G_j=2^{n-2}\cdot\mathcal C_{n-2}+\dots+2^{n-j}\cdot\mathcal C_{n-j}$
3304: %is a sequence
3305: over $\Z/2^{j-1}$. The latter sequence is just an output sequence of the
3306: automaton $\mathfrak G_j=\langle \Z/2^{n-1},\Z/2^{j-1},f\bmod 2^{n-1},
3307: T_{n-j-1}, u\rangle$, where $T_{n-j-1}$ is a truncation of the first
3308: $n-j$ low order bits: $T_{n-j-1}(z)=\lfloor\frac{z}{2^{n-j}}\rfloor$.
3309: Thus, $\mathcal G_j$ is a purely periodic sequence
3310: of period length exactly $2^{n-1}$ and with each element of $\Z/2^{j-1}$
3311: occuring at the period the same number of times. Yet
3312: $\alpha_j$ is a non-zero Boolean polynomial (see above); thus it takes
3313: value $1$ at least at one $(j-1)$-bit word of $\Z/2^{j-1}$. Consequently, at least
3314: one member of the sequence $\alpha_j(\mathcal C_{n-2},\ldots,\mathcal C_{n-j})$
3315: is $1$.
3316: \end{proof}
3317: \begin{note*} There are other methods that improve periods of coordinate
3318: sequences. For insatnce, using the ideas of the proof of \ref{prop:reverse}
3319: it is not difficult to demonstrate that {\it if a recurrence sequence is
3320: defined by a relation $x_{i+1}=f(x_i)$, where $f\:\Z_2\>\Z_2$ is compatible
3321: and ergodic mapping, then a binary sequence
3322: $\{\delta_k(x_i+2^j\cdot\delta_s(x_i))\:i=0,1,2,\ldots\}$ is purely periodic with
3323: period length exactly $2^s$ whenever $j\le k<s$}. From here it could be
3324: deduced that e.g. the sequence
3325: $$\mathcal Z=\Big\{\Big(x_i+\pi_k^1\Big(\Big\lfloor\frac{x_i}{2^k}\Big\rfloor\bmod
3326: 2^k\Big)\Big)\bmod 2^k\:i=0,1,2,\ldots\Big\}$$
3327: is a purely periodic sequence over $\Z/2^k$ of period length exactly
3328: $2^{2k}$,
3329: such that each element of $\Z/2^k$ occurs at the period exactly $2^k$ times,
3330: and that each coordinate sequence of $\mathcal Z$ is purely periodic binary sequence of
3331: period length exactly $2^{2k}$. Note that $\mathcal Z$ is obtained according
3332: to a very simple rule: at the $i$\textsuperscript{th} step take $(2k)$-bit output
3333: of congruential generator of a maximum period length with state transition
3334: function $f$, read the second half of this output as a $k$-bit
3335: number in reverse bit order and
3336: add this number modulo $2^k$ to the $k$-bit number that agrees with the first
3337: half of the output.
3338: %The proof of proposition \ref{prop:reverse} shows that the
3339: %only condition that provides exact period
3340: \end{note*}
3341:
3342:
3343: % To avoid significant reduce of performance one may, for instanse, combine several
3344: % coordinate sequences to form an output as
3345: % $\{(\delta_j(f^{(i)}(z)),\dots,\delta_{j+s}(f^{(i)}(z))): i=0,1,2,\dots\}$
3346: % thus obtaining the so-called truncated (and, generally speaking, nonlinear)
3347: % congruential generator. Obviously, the
3348: % truncation is also an equiprobable mapping of $\mathbb Z_2$ onto $\mathbb
3349: % Z/2^{s+1}$. provided $f$ is an ergodic function one obtains this way a strictly uniformly distributed
3350: % output sequence over $\mathbb Z/2^{s+1}$. Namely, this sequence is purely periodic
3351: % with
3352: % period length $2^{j+s+1}$, and each element of $\mathbb Z/2^{s+1}$
3353: % occurs at the period exactly
3354: % $2^j$ times. However, in this case one has to study correlations between
3355: % the coordinate sequences. We focuse on these issues in the following section.
3356: %
3357: \section{Properties}
3358: \label{sec:Prop}
3359: In this section we study common probabilistic, cryptographic and other properties
3360: of output sequences of the generators considered in preceeding sections:
3361: Linear and $2$-adic spans
3362: of these sequences,
3363: their structure, distribution of $k$-tuples in them, etc.
3364: We begin our study with properties of coordinate sequences of the automata
3365: considered above, that is,
3366: of the sequences $\{\delta_j(s_{i})\colon i=0,1,2,\ldots\}$, where $\{s_i\}$
3367: is the output sequence of the automaton.
3368: \subsection*{Properties of coordinate sequences}
3369: %\label{CS}
3370: To study coordinate sequences it is convenient to consider an
3371: %So on we assume that the state transition function $f$ of
3372: automaton $\mathfrak A^\prime$ with a state set $\mathbb Z_2$, compatible
3373: and ergodic state transition function $f\colon\mathbb Z_2\rightarrow\mathbb
3374: Z_2$
3375: % $f=\widetilde f\bmod {2^n}$, where $\widetilde f$
3376: % is compatible and ergodic mapping of $\mathbb Z_2$ onto itself,
3377: and with identity
3378: output function $F(z)=z$. We also consider an automaton $\mathfrak A^\prime_j$
3379: which differs from $\mathfrak A^\prime$ only by the output function, which
3380: is $\delta_j(z)$ in this case.
3381: %(for some time we will omit the superscript in the following considerations).
3382: Thus the output sequence of $\mathfrak A^\prime_j$ is just
3383: the $j$\textsuperscript{th} coordinate
3384: sequence $\mathcal S_j=\{s_i=\delta_j(f^{(i)}(z)): i=0,1,2,\dots\}$ of the
3385: automaton $\mathfrak A^\prime$ (here
3386: $z\in\mathbb Z_2$ is the initial state of the automaton $\mathfrak
3387: A^\prime$). Note that since $f$ is compatible, we may assume
3388: if necessary that
3389: $z\in\mathbb Z/2^{j+1}$, i.e., that all but possibly the first $j+1$ junior
3390: bits of $2$-adic representation of $z$ are $0$. That is, the output sequence
3391: of the automaton $\mathfrak A^\prime_j$ is the same as the one of the automaton
3392: $\mathfrak A=\langle \mathbb Z/2^{j+1}, \mathbb Z/2, f\bmod 2^{j+1},\delta_j,z\bmod 2^{j+1}\rangle$,
3393: see Section \ref{Prelm}.
3394:
3395: It turnes out that the $j$\textsuperscript{th} coordinate
3396: sequence has rather specific structure. Namely, the following theorem
3397: holds.
3398: \begin{thm}
3399: \label{halfper}
3400: The $j$\textsuperscript{th} coordinate sequence is purely periodic, and
3401: $2^{j+1}$ is the length of its period.
3402: The second half of the period is a bitwise negation of its first half, i.e.,
3403: %\begin{equation*}
3404: $s_{i+2^j}\equiv s_{i}+1\pmod 2$
3405: %\end{equation*}
3406: for each $i=0,1,2,\ldots$.
3407: \end{thm}
3408: \begin{proof}
3409: Since the mapping $f\colon\mathbb Z_2\rightarrow\mathbb Z_2$ is compatible and ergodic,
3410: the sequence $\{x_{i+1}=f(x_i)\bmod 2^{j+1}:i=0,1,2,\dots\}$ is purely periodic,
3411: with $2^{j+1}$ being the length of its period, whereas the sequence
3412: $\{x_{i+1}=f(x_i)\bmod 2^{j}:i=0,1,2,\dots\}$
3413: is purely periodic, and the length of its period is exactly
3414: $2^{j}$. Yet $x_{i+1}\bmod 2^{j+1}=x_{i+1}\bmod 2^{j}+2^j\delta_j(x_{i+1})$,
3415: and the first assertion of \ref{halfper} follows.
3416:
3417: Supposing $\delta_j(x_{i+1})=\delta_j(x_{i+1+2^j})$ for some $i$, from
3418: the preceeding equality one obtains $x_{i+1+2^j}\equiv x_{i+1}\pmod {2^{j+1}}$,
3419: and hence $x_{i+t+1+2^j}\equiv f^{(t)}(x_{i+1+2^j})\equiv f^{(t)}(x_{i+1})\equiv
3420: x_{i+t+1}\pmod{2^{j+1}}$ for all $t=0,1,2,\dots$, in view of compatibility of $f$.
3421: So the length of the period of the sequence $\{x_i\bmod 2^{j+1}:i=0,1,2,\dots\}$
3422: does not exceed $2^j$, in contradiction with the ergodicity of $f$, see
3423: \ref{def:erg}.
3424: \end{proof}
3425: \begin{note}
3426: \label{note:halfper}
3427: Theorem \ref{halfper} could be generalized in two directions. First, to
3428: output sequences of wreath products of automata (this is already done,
3429: see \ref{note:halfper-odd}),
3430: and second, to the case $p$ odd.
3431: %The analogon of the theorem \ref{halfper} also holds for odd prime $p$.
3432:
3433: In the latter case provided transformation $f\colon\mathbb Z_p\rightarrow\mathbb Z_p$ is
3434: compatible
3435: and ergodic, the $j$\textsuperscript{th} coordinate sequence $\{\delta_j(f^{(i)}(z)):i=0,1,2,\dots\}$
3436: is purely periodic, with $p^{j+1}$ being the length of its period (here
3437: and further within this remark
3438: $\delta_j(z)$ stands for the $j$\textsuperscript{th} digit in base-$p$
3439: expansion of $z$). Each subsequence
3440: $\{\delta_j(f^{(i+p^t)}(z)):t=0,1,2,\dots\}$ is a purely periodic sequence
3441: with $p$ being the length of period;
3442: moreover, for $j>0$ it is generated by a linear congruential
3443: generator modulo
3444: $p$, i.e., by a polynomial $a+x$ for appropriate $a\in\{1,2,\dots,p-1\}$.
3445: So this sequence is
3446: strictly uniformly distributed modulo
3447: $p$: each $u\in\mathbb Z/p$ occurs at the period exactly once.
3448: %
3449: % Loosely speaking, for $j>0$ the generator $\delta_j(f^{(i)}(z))$ could be considered
3450: % as a kind of a generalized shrinking
3451: % generator, consisting of $p^{j-1}$ linear congruential generators modulo
3452: % $p$ of maximum period length (that is, of length $p$), controlled by the selector
3453: % $\delta_j(f^{(i)}(z\bmod p^{j}))$ (for definitions
3454: % see e.g.
3455: % \cite{LinRec} and references therein).
3456: The generator $\delta_0(f^{(i)}(z))$ is a (generally speaking, nonlinear)
3457: congruential generator of the form $v_{i+1}\equiv g(v_i)\pmod p$ for an
3458: appropriate
3459: transitive modulo $p$
3460: polynomial $g(x)$ over a field $Z/p$ of residues modulo $p$.
3461:
3462: A proof of this assertion could be deduced from the proof of theorem
3463: 3.4 of \cite{me-2} since in view of the $p$-adic Weierstrass theorem (see
3464: \cite{Mah}) a transformation $z\mapsto f(z)\bmod p^{j+1}$ of the residue
3465: ring $\mathbb Z/p^{j+1}$ may be considered
3466: as a polynomial transformation $z\mapsto w(z)\bmod p^{j+1}$ induced by
3467: an
3468: integer-valued and compatible polynomial $w(x)\in\mathbb Q[x]$, i.e., by
3469: a polynomial of the form mentioned in \ref{ergBin}. Thus the
3470: mapping $z\mapsto f(z)\bmod p^{j+1}$ could be considered as a reduction modulo
3471: $p^{j+1}$ of the compatible and ergodic mapping $w\colon\mathbb Z_p\rightarrow\mathbb
3472: Z_p$; the latter mapping is uniformly differentiable everywhere on $\mathbb Z_p$. Hence
3473: the assumptions of theorem 3.4 of \cite{me-2} are satisfied. We omit
3474: further details.
3475: \end{note}
3476: We recall that a linear complexity $\Psi_F(\mathcal S)$
3477: of the sequence $\mathcal S=\{s_i\:i=0,1,2,\ldots\}$
3478: over a field $F$ is the smallest $n\in\mathbb N$ such that every $n$ succesive
3479: members of the sequence satisfy some non-trivial linear relation of length $n+1$,
3480: i.e., there exist $a_0,a_1,\ldots,a_n$, not all equal to $0$, such that
3481: $a_0s_i+a_1s_{i+1}+\dots +a_ns_{i+n}=0$ for all $i=0,1,2,\ldots$. In this
3482: case we also say that
3483: the polynomial $a_0+a_1x+\dots+a_nx^n\in F[x]$ {\it annihilates} $\mathcal S$
3484: \footnote{A polynomial that annihilates $\mathcal S$ is also
3485: called a {\it characteristic polynomial of the sequence $\mathcal S$}.}.
3486: In other
3487: words, linear complexity is just a degree of the minimal polynomial of $\mathcal
3488: S$ (the minimum degree nonzero polynomial that annihilates $\mathcal
3489: S$; a polynomial $g(x)\in F[x]$ annihilates $\mathcal S$ iff the minimal
3490: polynomial of $\mathcal S$ is a factor of $g(x)$ --- see e.g. \cite{LinRec} or
3491: \cite{LidNied} for
3492: references). In case $F=\mathbb Z/p$ is a field of $p$ elements we
3493: use for linear complexity over $F$ the notation $\Psi_p$ rather than $\Psi_{\mathbb
3494: Z/p}$.
3495:
3496: Linear complexity
3497: is one of crusial for cryptography properties:
3498: Pseudorandom generators
3499: that produce sequences of low linear
3500: complexity are not secure, since having relatively short segment of output
3501: sequence
3502: and solving a corresponding system of linear equations over $F$ a cryptoanalyst
3503: could find $a_0,a_1,\ldots,a_n$ and thus predict
3504: with probability $1$ the rest of the members of the sequence. Of course, high
3505: linear complexity per se does not guarantee security.
3506: \begin{thm}
3507: \label{lincomp}
3508: The linear complexity $\Psi_2(\mathcal S_j)$ of the $j$\textsuperscript{th}
3509: coordinate sequence $\mathcal S_j$ is exactly $2^j+1$.
3510: \end{thm}
3511: We need the following lemma:
3512: %which will be used in further considerations also.
3513: \begin{lem}
3514: \label{le:lincomp}
3515: Let $p$ be a prime, and let $\mathcal S$
3516: be a purely periodic sequence
3517: over $\mathbb Z/p$ of period
3518: length exactly $p^{j+1}$. Then $\Psi _p(\mathcal S)>p^j$.
3519: \end{lem}
3520: \begin{proof}[Proof of lemma \ref{le:lincomp}]
3521: Since $p^{j+1}$ is the length of the period of the sequence $\mathcal S$,
3522: the polynomial $x^{p^{j+1}}-1$ over a field $\mathbb Z/p$ annihilates $\mathcal S$.
3523: Yet
3524: $x^{p^{j+1}}-1=(x-1)^{p^{j+1}}$; thus, the minimal polynomial $m(x)$ of
3525: $\mathcal S$ is of the form $(x-1)^r$, where $r\le p^{j+1}$. However, the
3526: polynomial $x^{p^{j}}-1=(x-1)^{p^{j}}$ does not annihilate $\mathcal S$,
3527: since otherwise the length of some period of $\mathcal S$ is a factor of $p^j$;
3528: yet
3529: % $p^{j+1}$ is the exact period length of the sequence $\mathcal S$,
3530: %i.e.,
3531: $\mathcal S$ has no periods of length less than $p^{j+1}$ (see definition
3532: \ref{def:strict}).
3533: Hence, $\deg m(x)=r>p^j$, since
3534: otherwise the polynomial $(x-1)^{p^{j}}$ annihilates $\mathcal S$.
3535: \end{proof}
3536: \begin{proof}[Proof of the theorem \ref{lincomp}]
3537: Since $s_{i+2^j}\equiv s_{i}+1\pmod 2$
3538: for all $i=0,1,2,\ldots$ (see \ref{halfper}), the congruence
3539: $s_{i+1+2^{j}}+s_{i+2^j}+s_{i+1}+s_{i}\equiv
3540: 0\pmod 2$ holds for all $i=0,1,2,\ldots$. Hence, the polynomial
3541: $x^{2^{j}+1}+x^{2^{j}}+x+1=(x+1)^{2^{j}+1}$ annihilates the $j$\textsuperscript{th} coordinate
3542: sequence
3543: $\mathcal S_j=\{s_0,s_1,\dots\}$. Now
3544: the assertion of \ref{lincomp} follows from \ref{le:lincomp}.
3545: \end{proof}
3546: Theorem \ref{lincomp} could be generalized to the case of output sequences
3547: of wreath products of automata. Namely, the following proposition holds.
3548: \begin{prop}
3549: \label{prop:WP:lincomp}
3550: Let $\mathcal S=\{s_i\:i=0,1,2,\ldots\}$ be any of the sequences $\mathcal U_n$,
3551: $\mathcal X_n$,
3552: $\mathcal W_n$, $\mathcal Y_n$, and $\mathcal Z$ defined, respectively,
3553: in \ref{WP-even}, \ref{WP-even-trunc}, \ref{WP-odd}, \ref{le:WP-odd},
3554: and \ref{thm:WP}. Then the linear complexity of the $(n-1)$\textsuperscript{th}
3555: coordinate sequence
3556: $\delta_{n-1}(\mathcal S)=\{\delta_{n-1}(s_i)\:i=0,1,2,\ldots\}$ exceeds
3557: $2^{n-1}$.
3558: \end{prop}
3559: \begin{proof} Since the period length of the sequence $\delta_{n-1}(\mathcal S)$
3560: is $2^n\ell$, where $\ell=2^m$ for $\mathcal S\in\{\mathcal U_n,
3561: \mathcal X_n\}$, or $\ell=m$ otherwise
3562: (see corresponding statements), the polynomial $u(x)=x^{2^n\ell}-1=
3563: (x^\ell-1)^{2^n}$ annihilates $\delta_{n-1}(\mathcal S)$. Thus, the minimal polynomial
3564: $m(x)$ of $\delta_{n-1}(\mathcal S)$ is a factor of $u(x)$. On the other
3565: hand $m(x)$ is not a factor of $w(x)=(x^\ell-1)^{2^{n-1}}$ since otherwise
3566: the sequence $\delta_{n-1}(\mathcal S)$ has period of length $2^{n-1}\ell$;
3567: however, this is impossible since the second half of the period of length
3568: $2^n\ell$ of this sequence is a bitwise negation of the first half, see
3569: \ref{note:halfper-odd}.
3570: Since both polynomials $u(x)$, $w(x)$ have the same set of
3571: roots in their splitting field, at least one of these roots is a root of
3572: $m(x)$ with multiplicity exceeding $2^{n-1}$. Thus, $\deg m(x)>2^{n-1}$.
3573: \end{proof}
3574: Speaking formally, proposition \ref{prop:WP:lincomp} holds
3575: for $\ell=1$ either, turning into theorem \ref{halfper} in this case. Thus,
3576: we may say that the estimate of $\Psi_2(\delta_{n-1}(\mathcal S))$ given
3577: by proposition \ref{prop:WP:lincomp} is sharp. However, it could be improved
3578: for particular classes of $\ell$. For instance, if $\ell=2^m$, i.e.,
3579: if $\mathcal S=\mathcal X_n$, then $\Psi_2(\delta_{n-1}(\mathcal S))=
3580: 2^{n-1}\ell+1$ in view of note \ref{WP-even-trunc} and theorem \ref{lincomp}.
3581: %In other cases the estimate of $\Psi_2(\delta_{n-1}(\mathcal S))$ given
3582: %by proposition \ref{prop:WP:lincomp} may be also sharpen. For instance, if
3583: Also, if $\ell=2^km_1$, where $m_1$ is odd, then the proof of proposition
3584: \ref{prop:WP:lincomp}
3585: shows that $\Psi_2(\delta_{n-1}(\mathcal S))>2^{n-1+k}$ in this case.
3586:
3587: So it seems possible to improve significantly
3588: the estimate of linear complexity that gives proposition
3589: \ref{prop:WP:lincomp} for various classes of wreath products
3590: described by \ref{WP-even}, \ref{WP-even-trunc}, \ref{WP-odd}, \ref{le:WP-odd},
3591: and \ref{thm:WP}, i.e., for arbitrary
3592: $\ell>1$. To do this now we have to run a bit ahead and
3593: to use theorem \ref{thm:WP:AnyHalfPer}, which is proved further. With the
3594: use of this theorem,
3595: the general case could be reduced to the case $\ell>1$ odd. Namely, in view of
3596: theorem
3597: \ref{thm:WP:AnyHalfPer}, every purely periodic binary sequence of period
3598: length $2^n\ell$, $n>1$, such that the second half of the period of this
3599: sequence is a bitwise negation of the first part of the period, could be considered
3600: as $(n-1)$\textsuperscript{th} coordinate sequence of a certain wreath product
3601: of automata that is described by theorem \ref{thm:WP}. Thus, if $\ell=2^km_1$,
3602: where $m_1$ odd, this sequence in view of theorem \ref{thm:WP:AnyHalfPer}
3603: could be considered as $(n-1+k)$\textsuperscript{th} coordinate sequence
3604: of a suitable wreath product of automata mentioned in theorem \ref{thm:WP}
3605: for $m=m_1$ odd. So we can assume that $\ell$ is odd.
3606:
3607: Proceeding with this note and using the congruence
3608: $\delta_{n-1}(s_{i+2^{n-1}\ell})\equiv
3609: \delta_{n-1}(s_{i})+1\pmod 2$ (see \ref{note:halfper-odd}) we obtain that
3610: the minimal polynomial $m_{n-1}(x)$ of the sequence $\delta_{n-1}(\mathcal S)$ is a factor of the polynomial
3611: \begin{multline*}
3612: x^{2^{n-1}\ell+1}+x^{2^{n-1}\ell}
3613: +x+1=\\ (x^\ell+1)^{2^{n-1}}(x+1)=(x^{\ell-1}+\cdots+x+1)^{2^{n-1}}
3614: (x+1)^{2^{n-1}+1}.
3615: \end{multline*}
3616: Thus, the root of multiplicity $>2^{n-1}$ of the proof of
3617: \ref{note:halfper-odd} is $1$ (since the polynomial $x^{\ell-1}+\cdots+x+1$
3618: is a factor of $x^\ell-1$; yet $x^\ell-1$
3619: has no roots of multiplicity $>1$ in its splitting field, as $\ell$ is
3620: odd). Hence,
3621: \begin{equation}
3622: \label{eq:minpol}
3623: m_{n-1}(x)=v(x)(x+1)^{2^{n-1}+1},
3624: \end{equation}
3625: where $v(x)$ is a factor of $(x^{\ell-1}+\cdots+x+1)^{2^{n-1}}$. Thus,
3626: \begin{equation}
3627: \label{eq:lincomp:sharp}
3628: 2^{n-1}\ell+1\ge\deg m_{n-1}(x)=\Psi_2(\delta_{n-1}(\mathcal S))\ge 2^{n-1}+1.
3629: \end{equation}
3630: We shall show now that for $n>1$
3631: the both bounds are sharp.
3632:
3633: Consider a finite sequence $\mathcal T$ of length $2^{n-1}\ell$ consisting of gaps and runs
3634: (alternating blocks of $0$'s and $1$'s)
3635: of length $2^{n-1}$ each. Take this sequence as the first half of a period
3636: of a sequence $\mathcal S^{\prime}$, and take a bitwise negation $\hat{\mathcal T}$
3637: of $\mathcal T$ as a second half of a period
3638: of $\mathcal S^\prime$ (of course $\hat{\mathcal T}=(\mathcal
3639: T)\XOR(2^{2^{n-1}\ell}-1)$, where we consider $\mathcal T$ as a base-$2$
3640: expansion of a suitable rational integer $\gamma_{n-1}> 0$).
3641: Obviously, $\mathcal S^\prime$ is a purely periodic sequence
3642: of period length $2^n\ell$, and the second half of its period is a bitwise
3643: negation of the first half. Thus, as it is shown
3644: by theorem \ref{thm:WP:AnyHalfPer}, the sequence $\mathcal S^\prime$ could be
3645: outputted as $(n-1)$\textsuperscript{th}
3646: coordinate sequence of a suitable wreath product of automata, which is
3647: described by theorem \ref{thm:WP}.
3648: Yet obviously $\mathcal S^\prime$ is a sequence of gaps and runs of length $2^{n-1}$
3649: each; thus, the exact period length of the sequence $\mathcal S^\prime$ is
3650: $2^n$. So linear complexity of $\mathcal S^\prime$ is $2^{n-1}+1$ (see the proof
3651: of theorem \ref{lincomp}).
3652:
3653: Now we prove that the upper bound in \eqref{eq:lincomp:sharp} is also sharp.
3654: Consider a sequence $\mathcal U$ of gaps and runs of length $2^{n-1}$ each,
3655: and a purely periodic sequence $\mathcal V$ with period of length $2^{n-1}\ell$;
3656: let this period consists of a run of length $2^{n-1}(\ell-1)$ followed
3657: by a gap of length $2^{n-1}$. Let $m_{\mathcal U}(x), m_{\mathcal V}(x)$ be minimal polynomials
3658: of corresponding sequences.
3659:
3660: Since $\mathcal U$ is a purely periodic sequence
3661: with period length exactly $2^n$, and a second half of its period is a
3662: bitwise negation of the first half, a polynomial $m_1(x)=x^{2^{n-1}+1}+x^{2^{n-1}}+x+1=
3663: (x+1)^{2^{n-1}+1}$ annihilates $\mathcal U$ (see the argument above); so
3664: $m_{\mathcal U}(x)$ is a factor of $m_1(x)$. However, the first $2^{n-1}$
3665: overlapping $(2^{n-1})$-tuples considered as vectors of dimension $2^{n-1}$
3666: over a field $\Z/2$ are obviously linearly independent. Thus, $\deg m_{\mathcal U}(x)>2^{n-1}$
3667: (see \cite[Theorem 8.51]{LidNied}). Finally we conclude that $m_{\mathcal U}(x)=m_1(x)$.
3668: A similar argument proves that $m_{\mathcal V}(x)=x^{2^{n-1}(\ell-1)}+x^{2^{n-1}(\ell-2)}+
3669: \dots+x^{2^{n-1}}+1$.
3670:
3671: Now consider a sum $\mathcal R$ of these two sequences. i.e., $\mathcal
3672: R=\mathcal U\XOR\mathcal V$. Obviously, $m_{\mathcal U}(x)$ and $m_{\mathcal V}(x)$
3673: are coprime, since $1$ is the only root of $m_{\mathcal U}(x)$, yet $1$
3674: is not a root of $m_{\mathcal V}(x)$ (recall $\ell$ odd). Thus,
3675: $m_{\mathcal U}(x)\cdot m_{\mathcal V}(x)$ is the minimal polynomial of
3676: $\mathcal R$ (see \cite[Theorem 8.57]{LidNied}). Hence $\Psi_2(\mathcal
3677: R)=2^{n-1}\ell+1$.
3678:
3679: Since $\ell$ is odd, $\mathcal R$ is obviously a purely periodic sequence
3680: of period length exactly $2^n\ell$, and the second half of the period is
3681: a bitwise negation of its first half. Consequently, $\mathcal R$ is the
3682: $(n-1)$\textsuperscript{th} coordinate sequence of a suitable wreath product of automata, which is
3683: described by theorem \ref{thm:WP} (see \ref{thm:WP:AnyHalfPer}).
3684:
3685: As a bonus we have that the exact period length $P$ of the $(n-1)$\textsuperscript{th}
3686: coordinate sequence $\delta_{n-1}(\mathcal S)$ for odd $\ell$
3687: is a multiple of $2^{n}$: Since $x^P+1$
3688: annihilates $\delta_{n-1}(\mathcal S)$, $m_{n-1}(x)$ is a factor of $x^P+1$.
3689: Yet $x^P+1=(x^s+1)^{2^t}=(x+1)^{2^t}(x^{s-1}+\dots+1)^{2^t}$, where $P=2^ts$,
3690: $s$ odd, and $1$ is not a root of $x^{s-1}+\dots+1$ since $s$ is odd.
3691: Thus, necessarily $2^t\ge 2^{n-1}+1$ in view of \eqref{eq:minpol}. Hence,
3692: $t\ge n$. So we conclude that $P=2^ns$; yet $P\le 2^n\ell$ since the output
3693: sequence $\mathcal Z\bmod 2^n$ is purely periodic of period length exactly
3694: $2^n\ell$ (see \ref{thm:WP}). Thus, $P=2^ns$, where $1\le s\le\ell$. As
3695: demonstrate examples of sequences $\mathcal S^\prime$ and $\mathcal R$,
3696: both extreme cases $s= 1$ and $s=\ell$ are possible.
3697:
3698: We summarize the above considerations in the following
3699: \begin{thm}
3700: \label{thm:lincomp:sharp} Let $\mathcal Z_j$, $j>0$, be the $j$\textsuperscript{th}
3701: coordinate sequence of a wreath product of automata {\rm(described by any of
3702: \ref{WP-even}, \ref{WP-even-trunc}, \ref{WP-odd}, \ref{le:WP-odd},
3703: and \ref{thm:WP}: thus $\mathcal Z_j$ is a purely periodic binary sequence
3704: of period length $2^{j+1}\ell$, where $\ell=2^m$ for wreath products described
3705: by \ref{WP-even} or \ref{WP-even-trunc}, and $\ell=m$ otherwise\rm)}.
3706: Represent $\ell=2^kr$, where $r$
3707: is odd.
3708: Then the exact period length of $\mathcal Z_j$ is $2^{k+j+1}s$ for
3709: some $s\in\{1,2,\dots,r\}$, and both extreme cases $s=1$ and $s=r$
3710: occur: for every sequence $s_1,s_2,\ldots$ over a set $\{1,r\}$
3711: there exists a wreath product of automata such that the period length
3712: of the $j$\textsuperscript{th} coordinate sequence of its output is exactly
3713: $2^{k+j+1}s_j$, $(j=1,2,\ldots)$.
3714:
3715:
3716: Moreover, a linear complexity $\Psi_2(\mathcal Z_j)$ of the sequence $\mathcal
3717: Z_j$ satisfies the following inequality:
3718: $$2^{k+j}+1\le \Psi_2(\mathcal Z_j)\le 2^{k+j}r+1.$$
3719: Both these bounds are sharp:
3720: For every sequence $t_1,t_2,\ldots$ over a set $\{1,r\}$
3721: there exists a wreath product of automata such that the linear complexity
3722: of the $j$\textsuperscript{th} coordinate sequence of its output is exactly
3723: $ 2^{k+j}t_j+1$, $(j=1,2,\ldots)$.
3724: \end{thm}
3725: \begin{proof} Nearly everything is already done by the preceeding arguments.
3726: We only note that in view of mentioned theorem \ref{thm:WP:AnyHalfPer},
3727: we can choose coordinate sequences independently
3728: one of another. That is, for each sequence of purely periodic binary sequences
3729: $\mathcal
3730: Z_1, \mathcal Z_2, \dots$, such that period length of the $j$\textsuperscript{th}
3731: sequence $\mathcal Z_j$ $(j=1,2,\ldots)$ is $2^{j+1}\ell$, and the second
3732: part of this period is a bitwise negation of the first part, there exist
3733: a wreath product of automata, that satisfies \ref{thm:WP}, and such that
3734: the $j$\textsuperscript{th} coordinate sequence of its output is exactly
3735: $\mathcal Z_j$ for all $j=1,2,\ldots$.
3736: \end{proof}
3737:
3738: %Note that precise values of $\deg m(x)$ depend not only on
3739: %$\ell$, but also on $\varphi_n^j$ of \ref{le:WP-odd}.
3740: %\end{note}
3741:
3742: With the use of theorem \ref{halfper} it is possible to estimate two other
3743: measures of complexity of the coordinate sequence, which were introduced
3744: in \cite{Kl-Gor}: namely,
3745: {\it $2$-adic complexity} and {\it $2$-adic span}.
3746: Whereas linear complexity (also known
3747: as {\it linear span}) is the number of cells in a linear
3748: feedback shift register outputting a given sequence $\mathcal S$ over
3749: $\mathbb Z/2$, the $2$-adic span is the number of cells in both memory and register
3750: of a feedback with carry shift register (FCSR) that outputs $\mathcal S$,
3751: and
3752: the
3753: $2$-adic complexity estimates the number of cells in the register of this
3754: FCSR. To be more exact, the $2$-adic complexity $\Phi_2(\mathcal S)$ of the (eventually) periodic
3755: sequence $\mathcal S=\{s_0,s_1,s_2,\ldots\}$ over $\mathbb Z/2$ is $\log_2(\Phi(u,v))$,
3756: where $\Phi(u,v)=\max\{|u|,|v|\}$ and $\frac{u}{v}\in\mathbb Q$
3757: is the irreducible fraction
3758: such that its $2$-adic expansion agrees with $\mathcal S$, that is,
3759: $\frac{u}{v}=s_0+s_12+s_22^2+\dots\in\mathbb Z_2$. The number of cells in the register
3760: of FCSR producing $\mathcal S$ is then $\lceil\log_2(\Phi(u,v))\rceil$,
3761: the least rational integer not smaller than $\log_2(\Phi(u,v))$.
3762: % The $2$-adic span $\Lambda_2(\mathcal S)$ and the $2$-adic complexity
3763: % $\Phi_2(\mathcal S)$ of the sequence $\mathcal S$ are related by the
3764: % following inequality (see Proposition 9.3 of \cite{Kl-Gor}):
3765: % $$|(\Lambda_2(\mathcal S)-2)-\Phi_2(\mathcal S)|\le\log_2(\Phi_2(\mathcal S)).$$
3766: Thus, we only need to estimate $\Phi_2(\mathcal S)$.
3767: \begin{thm}
3768: \label{2-comp}
3769: Let $\mathcal S_j=\{s_0,s_1,s_2,\dots\}$ be the $j$\textsuperscript{th} coordinate
3770: sequence.
3771: %Then $\Phi_2(\mathcal S_j)>2^j-1$.
3772: its $2$-adic complexity $\Phi_2(\mathcal S_j)$ is $\log_2\Big(\frac{2^{2^j}+1}{\gcd(2^{2^j}+1,\gamma+1)}\Big)$,
3773: % , that is, the number of
3774: % cells in the register of FCSR, which outputs $\mathcal S$, is $\gcd (2^j+1,
3775: % r+1)$,
3776: where $\gamma=s_0+s_12+s_22^2+\dots+s_{2^{j}-1}2^{2^{j}-1}$.
3777: \end{thm}
3778: \begin{note*}
3779: We note that $\gamma$ is a non-negative
3780: rational integer, $0\le \gamma\le 2^{2^{j}}-1$; also we note that for each $\gamma$
3781: of this range there exists an ergodic mapping such that the first half
3782: of the period of the $j$\textsuperscript{th}
3783: coordinate sequence of the corresponding output is a base-$2$ expansion
3784: of $\gamma$ (see \ref{AnyHalfPer}). Thus,
3785: to find all possible values
3786: of 2-adic complexity
3787: of the $j$\textsuperscript{th} coordinate sequence one has to decompose
3788: the $j$\textsuperscript{th} Fermat number $2^{2^j}+1$. It is known that
3789: $j$\textsuperscript{th} Fermat number is prime for $0\le j\le 4$ and that
3790: it
3791: is composite for $5\le j\le 23$. For each Fermat number outside
3792: this range it is not known whether
3793: it is prime or composite.
3794: The complete decomposition of $j$\textsuperscript{th} Fermat number is not known
3795: for $j>11$. Assuming for some $j\ge 2$ the $j$\textsuperscript{th} Fermat number
3796: is composite,
3797: all its factors are of the form $t2^{j+2}+1$, see e.g. \cite{Brent} for
3798: further references. So, {\it the following bounds for $2$-adic
3799: complexity $\Phi_2(\mathcal S_j)$ of the $j$\textsuperscript{th} coordinate sequence
3800: $\mathcal S_j$ hold:
3801: $$ j+3\le\lceil\Phi_2(\mathcal S_j)\rceil\le 2^j+1,$$
3802: %cells in the register of FCSR, which outputs the $j$\textsuperscript{th}
3803: %coordinate sequence, is $j+3$,
3804: yet to prove whether the lower bound is sharp for a certain $j>11$, or whether
3805: %could for some sequence $\mathcal S_j$ the number
3806: $\lceil\Phi_2(\mathcal S_j)\rceil$ could be actually less
3807: than $2^j+1$ for $j>23$ is as difficult as to decompose the $j$\textsuperscript{th} Fermat number
3808: or, respectively, to determine whether the $j$\textsuperscript{th}
3809: Fermat number
3810: %$2^{2^j}+1$
3811: is prime or composite.}
3812: \end{note*}
3813: \begin{proof}[Proof of theorem \ref{2-comp}]
3814: We only have to express $s_0+s_12+s_22^2+\dots$ as an irreducible fraction. Denote
3815: $\gamma=s_0+s_12+s_22^2+\dots+s_{2^{j}-1}2^{2^{j}-1}$. Then
3816: using
3817: the second identity of \eqref{eq:id} we in view of \ref{halfper} obtain that
3818: $s_0+s_12+s_22^2+\dots+s_{2^{j+1}-1}2^{2^{j+1}-1}=\gamma+2^{2^j}(2^{2^j}-\gamma-1)=
3819: \gamma^\prime$
3820: and hence $s_0+s_12+s_22^2+\dots=
3821: \gamma^\prime+\gamma^\prime 2^{2^{j+1}}+\gamma^\prime 2^{2\cdot 2^{j+1}}+
3822: \gamma^\prime 2^{3\cdot
3823: 2^{j+1}}+\dots=\frac{\gamma+1}{2^{2^j}+1}-1$.
3824: % Thus, $\Phi(|r-\nobreak 2^{2^j}|,|1+2^{2^j}|)=
3825: % 1+2^{2^j}$.
3826: This completes the proof in view of the definition of $2$-adic
3827: complexity of a sequence.
3828: \end{proof}
3829: \begin{note}
3830: \label{note:WP:2comp}
3831: Similar estimates of $\Phi_2(\delta_{n-1}(\mathcal S))$ could be obtained for the sequence
3832: $\mathcal S\in\{
3833: \mathcal W_n, \mathcal Y_n, \mathcal Z\}$
3834: of \ref{WP-odd}, \ref{le:WP-odd},
3835: and \ref{thm:WP}, respectively (for $\mathcal S\in\{\mathcal U_n, \mathcal X_n\}$
3836: of \ref{WP-even} and \ref{WP-even-trunc} this estimate is
3837: already given by \ref{2-comp} in view of \ref{WP-even-trunc}). In view
3838: of \ref{note:halfper-odd} the argument of the proof of \ref{2-comp}
3839: gives that the representation of the binary sequence $\delta_{n-1}(\mathcal S)$
3840: as a $2$-adic integer is $\frac{\gamma+1}{2^{2^{n-1}m}+1}-1$, so we have
3841: %%%%$\frac{\gamma}{1+2^{2^{n-1}m}}+1+\frac{1}{2^{2^{n-1}m}-1}$,
3842: only to study a fraction
3843: %$\frac{2^{2^{n-1}m}+1}{\gcd(2^{2^j}+1,\gamma+1)}$
3844: $\frac{\gamma+1}{2^{2^{n-1}m}+1}$,
3845: where
3846: $\gamma=s_0+s_12+s_22^2+\dots+s_{2^{n-1}m-1}2^{2^{n-1}m-1}$, and $m$
3847: is of statements of \ref{WP-odd}, \ref{le:WP-odd},
3848: and \ref{thm:WP}.
3849: %Thus, $\Phi_2(\delta_{n-1}(\mathcal S))>2^{n-1}m-1$,
3850: %$n=1,2,\ldots$.
3851: Representing $m=2^km_1$ with $m_1>1$ odd, we can factorize
3852: $2^{2^{n-1}m}+1=(2^{2^{n-1+k}}+1)(2^{2^{n-1+k}(m_1-1)}-2^{2^{n-1+k}(m_1-2)}
3853: +\cdots-2^{2^{n-1+k}}+1)$, but the problem does not become much easier because
3854: of the first multiplier. We omit further details.
3855: \end{note}
3856:
3857: Both theorems \ref{lincomp} and \ref{2-comp} show that all three measures
3858: of complexity of a sequence (linear and $2$-adic spans and $2$-adic complexity)
3859: are not too sensitive. For instance, assuming $f(x)=x+1$ to be a state transition
3860: function and $0$ to be an initial state of the automaton $\mathfrak A^\prime$,
3861: %which outputs the $j$\textsuperscript{th} coordinate sequence $\mathcal
3862: %S_j=\{\delta_j(f^{(i)}(0)):i=0,1,2,\dots\}$,
3863: we see that
3864: %$2$-adic and linear complexity
3865: % big
3866: values of both linear and $2$-adic complexity of the
3867: $j$\textsuperscript{th} coordinate sequence
3868: $\mathcal S_j$ of this automaton
3869: depend on $j$ exponentially:
3870: $\Psi_2(\mathcal S_j)=\Phi_2(\mathcal S_j)=2^{j}+1$. However,
3871: in this case $\mathcal S_j$ is merely a sequence of alternating blocks of $0$'s
3872: and $1$'s of length $2^j$ each.
3873: %, i.e., by no reasons
3874: %can $\mathcal S_j$ be judged as looking like random.
3875: %There exist more sensitive measures of complexity of a sequence, for instance,
3876: %linear complexity profile. Yet to study
3877:
3878: Looking through the proofs of the corresponding theorems it is easy to
3879: observe that such
3880: big figures for linear and $2$-adic complexity in the above example
3881: are due to a very
3882: simple law the $j$\textsuperscript{th} coordinate sequence obeys:
3883: The second
3884: half of the period is the bitwise negation of the first half (see \ref{halfper},
3885: \ref{note:halfper-odd}). This means
3886: that, intuitively,
3887: %loosely speaking,
3888: the $j$\textsuperscript{th} coordinate sequence is as
3889: complex as the first half of its period. Thus we have to understand what
3890: sequences of length $2^j$ could be outputted as the first half of the
3891: period of the $j$\textsuperscript{th} coordinate sequence, that is, what
3892: values takes the rational integer $\gamma$ of \ref{2-comp}.
3893:
3894: In other words, let $\gamma_j(f,z)\in\N_0$ be such a number that its base-$2$ expansion
3895: agrees with the first half
3896: of the period of the $j$\textsuperscript{th} coordinate sequence produced
3897: by the
3898: automaton $\mathfrak A^\prime_j$,
3899: %with state transition function $f$ and initial state $z$,
3900: i.e., let
3901: $$\gamma_j(f,z)=\delta_j(f^{(0)}(z))+2\delta_j(f^{(1)}(z))+
3902: 4\delta_j(f^{(2)}(z))+\dots+2^{2^j-1}\delta_j(f^{(2^j-1)}(z)).$$
3903: Obviously, $0\le\gamma_j(f,z)\le 2^{2^j}-1$. A natural question arises:
3904:
3905: {\slshape Given a compatible and ergodic mapping
3906: $f\colon\mathbb Z_2\rightarrow\mathbb Z_2$ and a $2$-adic integer $z\in\mathbb
3907: Z_2$, what infinite string $\gamma_0=\gamma_0(f,z),\gamma_1=\gamma_1(f,z),
3908: \gamma_2=\gamma_2(f,z),\dots$ (where $\gamma_j\in\{0,1,\dots,2^{2^j}-1\}$
3909: for
3910: $j=0,1,2,\dots$) could be obtained?}
3911:
3912: The answer is: {\slshape any one.}
3913:
3914: Namely, the
3915: following theorem holds.
3916:
3917: \begin{thm}
3918: \label{AnyHalfPer}
3919: Let $\Gamma=\{\gamma_j\in\mathbb N_0\colon j=0,1,2,\ldots\}$
3920: be an arbitrary sequence of non-negative rational integers that satisfy
3921: $0\le\gamma_j\le 2^{2^j}-1$ for $j=0,1,2,\ldots$ , then
3922: there exist a compatible and ergodic mapping
3923: % произвольный набор двоичных кортежей длины $2^j$ (по одному
3924: % для каждого $j=0,1,2,\ldots$), то найдутся совместимая и эргодическая функция
3925: $f\colon\mathbb Z_2\rightarrow\mathbb Z_2$ and a $2$-adic integer
3926: $z\in\mathbb Z_2$ such that $\delta_j(z)=\delta_0(\gamma_j)$,
3927: $\delta_0(f^{(i)}(z))\equiv \gamma_0+i\pmod 2$,
3928: and
3929: $$\delta_j(f^{(i)}(z))\equiv \delta_{i\bmod{2^j}}(\gamma_j)+
3930: \biggl\lfloor\frac{\lfloor\log_2i\rfloor}{j}\biggr\rfloor\pmod 2$$ for all
3931: $i,j\in\mathbb N$.
3932: %Here (and further) by definition we assume that $\lfloor\log_20\rfloor=1$.
3933: % , $i\bmod 1=0$,
3934: % $\bigl\lfloor\frac{\lfloor\log_2i\rfloor}{0}\bigr\rfloor=i$.
3935: \end{thm}
3936: \begin{note*} The sequence
3937: $\Bigl\{\Bigl\lfloor\frac{\lfloor\log_2i\rfloor}{j}\Bigr\rfloor\bmod 2\: i=1,2,
3938: \ldots\Bigr\}$ is merely a binary sequence of alternating gaps and runs (i.e., blocks
3939: of consequtive $0$'s or $1$'s, respectively) of length
3940: $2^j$ each.
3941: \end{note*}
3942: \begin{proof}[Proof of theorem \ref{AnyHalfPer}]
3943: Put $z=z_0=\sum_{j=0}^{\infty}\delta_0(\gamma_j)2^j$ and
3944: $$z_i= (\gamma_0+i)\bmod 2+\sum_{j=1}^{\infty}\biggl(\biggl(
3945: \delta_{i\bmod{2^j}}(\gamma_j)+
3946: \biggl\lfloor\frac{\lfloor\log_2i\rfloor}{j}\biggr\rfloor\biggr)\bmod 2\biggr)\cdot
3947: 2^j$$
3948: for $i=1,2,3,\ldots$ . Consider a sequence $Z=\{z_i\colon i=0,1,2,\ldots\}$.
3949: Speaking informally, we are filling a table with countable infinite number of rows
3950: and columns in such a way that the first $2^j$ entries of the $j$\textsuperscript{th}
3951: column represent $\gamma_j$ in its base-2 expansion, and the other entries
3952: of this column are obtained from these by applying recursive relation of theorem \ref{halfper}.
3953: Then each $i$\textsuperscript{th} row of the table is a 2-adic canonical
3954: representation of $z_i\in Z$.
3955:
3956: We shall prove that $Z$ is a dense subset in $\mathbb Z_2$, and then
3957: define $f$ on $Z$ in such a way that $f$ is compatible and ergodic on $Z$.
3958: This will imply the assertion of the theorem.
3959:
3960: Proceeding along this way we claim that $Z\bmod 2^k = \mathbb Z/2^k$ for all $k=1,2,3,\ldots$,
3961: i.e., a natural ring homomorphism $\bmod\, 2^k\colon z\mapsto z\bmod 2^k$ maps
3962: $Z$ onto the residue ring $\mathbb Z/2^k$. Indeed, this trivially holds
3963: for $k=1$. Assuming our claim holds for $k< m$ we prove it for $k=m$.
3964: Given arbitrary $t\in\{0,1,\ldots,2^{m}-1\}$ there exists $z_i\in Z$ such
3965: that $z_i\equiv t\pmod{2^{m-1}}$. If $z_i\not\equiv t\pmod{2^{m}}$ then
3966: $\delta_{m-1}(z_i)\equiv\delta_{m-1}(t)+1\pmod 2$ and thus
3967: $\delta_{m-1}(z_{i+2^{m-1}})\equiv\delta_{m-1}(t)\pmod 2$. However,
3968: $z_{i+2^{m-1}}\equiv z_i\pmod {2^{m-1}}$. Hence
3969: $z_{i+2^{m-1}}\equiv t\pmod {2^m}$.
3970:
3971: A similar argument shows that for each $k\in\mathbb N$
3972: the sequence $\{z_i\bmod 2^k\colon i=0,1,2,\ldots\}$
3973: is purely periodic with period length $2^k$, and each $t\in\{0,1,\ldots,2^{k}-1\}$
3974: occurs at the period exactly once (in particular, all members of $Z$ are
3975: pairwise distinct 2-adic integers). Moreover, $i\equiv i^{\prime}\pmod{2^k}$
3976: iff $z_{i}\equiv z_{i^{\prime}}\pmod{2^k}$. Consequently, $Z$ is dence
3977: in $\mathbb Z_2$ since for each $t\in\mathbb Z_2$ and each $k\in\mathbb
3978: N$ there exists $z_i\in Z$ such that $\|z_i-t\|_2\le 2^{-k}$. Moreover, if
3979: we define $f(z_i)=z_{i+1}$ for all $i=0,1,2,\ldots$ then
3980: $\|f(z_i)-f(z_{i^{\prime}})\|_2=\|z_{i+1}-z_{i^{\prime}+1}\|_2=
3981: \|(i+1)-(i^{\prime}+1)\|_2=\|i-i^{\prime}\|_2=\|z_i-z_{i^{\prime}}\|_2$.
3982: Hence, $f$ is well defined and compatible on $Z$; it follows that the continuation
3983: of $f$ to the whole space $\mathbb Z_2$ is compatible. Yet $f$ is transitive
3984: modulo $2^k$ for each $k\in\mathbb N$, so its continuation is ergodic.
3985: \end{proof}
3986: Theorem \ref{AnyHalfPer} could be extended to coordinate
3987: sequences of wreath products of automata (see Section \ref{sec:Constr}), i.e., to
3988: the sequences
3989: $\delta_j(\mathcal Z)=\{\delta_j(x_i)\:i=0,1,2,\ldots\}$, where
3990: $\mathcal Z=\{x_i\:i=0,1,2,\ldots\}$ is a recurrence sequence
3991: over $\Z_2$ defined in \ref{thm:WP}. Speaking loosely, {\slshape each first half
3992: of a period of each $i$\textsuperscript{th} $(i\ge 1)$ coordinate sequence
3993: of wreath products of automata
3994: could be arbitrary and independent of others}. Now we give a formal statement
3995: and a proof of it.
3996:
3997: Recall that $\delta_j(\mathcal Z)$
3998: is a purely periodic binary sequence of period length $2^{j+1}m$, and the
3999: second half of the period is a bitwise negation of its first half, see
4000: \ref{note:halfper-odd}. Thus, the sequence $\delta_j(\mathcal Z)$ could
4001: be identified with a rational number (which will be denoted by the same
4002: symbol $\delta_j(\mathcal Z)$) such that its canonical $2$-adic representation
4003: is $\delta_j(x_0)+\delta_j(x_1)2+\delta_j(x_2)2^2+\dots$. Hence in view
4004: of note \ref{note:WP:2comp},
4005: \begin{equation}
4006: \label{eq:num:coord}
4007: \frac{2^{2^{j}m}-\gamma_j}{2^{2^{j}m}+1}=\delta_j(\mathcal Z),
4008: \end{equation}
4009: where
4010: $\gamma_j=\delta_j(x_0)+\delta_j(x_1)2+\delta_j(x_2)2^2+\dots+\delta_j(x_{2^{j}m-1})2^{2^{j}m-1}$, and $m$ and
4011: $x_i$ are
4012: of the statement of \ref{thm:WP}. In other
4013: words,
4014: $\gamma_j\in\N_0$ is such a number that its base-$2$ expansion agrees with
4015: the first $2^jm$ terms of the sequence $\{\delta_j(x_i)\:i=0,1,2,\ldots\}$,
4016: where $x_{i+1}=g_{i\bmod m}(x_i)$, and $\mathcal G=\{g_0,\ldots,g_{m-1}\}$
4017: is a finite sequence of compatible measure preserving mappings of $\Z_2$ onto itself,
4018: see \ref{thm:WP}. Thus, $\gamma_j\in\{0,1,\ldots,2^{2^jm}-1\}$, and $\gamma_j$
4019: depends on $x_0$ and on $\mathcal G$. Yet an arbitrary purely periodic
4020: sequence of period length $2^{j+1}m$ such that the second half of its period
4021: is a bitwise negation of the first half (the latter could be considered
4022: as a base-$2$ expansion of rational integer $\gamma_j$), being treated
4023: as a $2$-adic reresentation of a rational number could be represented as
4024: \eqref{eq:num:coord} (see the proof of \ref{note:WP:2comp}). So we wonder
4025: what sequences of such kind could be represented by coordinate sequences
4026: of wreath products of automata described by theorem \ref{thm:WP}.
4027:
4028: In other
4029: words, to each sequence $\mathcal Z$ described by theorem \ref{thm:WP}
4030: we associate a sequence $\Gamma(\mathcal Z)=\{\gamma_0,\gamma_1,\ldots\}$
4031: of non-negative raional integers $\gamma_j$ such that $0\le\gamma_j\le
4032: 2^{2^{j}m}-1$ iff \eqref{eq:num:coord} holds for all $j=0,1,2,\ldots$. Now
4033: we take an arbitrary sequence $\Gamma$ of this type and wonder
4034: whether this sequence could be associated to some sequence $\mathcal Z$
4035: described by theorem \ref{thm:WP}. Generally speaking, the answer is {\slshape no}, since
4036: according to \ref{thm:WP} the
4037: sequence $\delta_0(\mathcal F)$ is purely periodic with period length {\slshape
4038: exactly} $2m$. However, a purely periodic sequence $\mathcal S$ of period length
4039: $2^nm$ such that the second half of its period is a bitwise negation of
4040: the first half, i.e., such that $\mathcal S$ could be represented in a
4041: form \eqref{eq:num:coord} as $\mathcal S=\frac{2^{2m}-\gamma_0}{2^{2m}+1}$
4042: for suitable $0\le\gamma_0\le 2^{2m}-1$, {\slshape not necessrily has
4043: exact period length} $2^nm$ (see note \ref{note:halfper-odd}). However, according
4044: to \ref{note:halfper-odd}, senior coordinate sequences $\delta_j(\mathcal
4045: Z)$ $(j\ge 1)$ could have exact periods smaller than $2^{j+1}m$. So it
4046: is reasonable to ask whether an arbitrary sequence $\Gamma =\{\gamma_1,\gamma_2,\ldots\}$
4047: of non-negative rational integers $\gamma_j$ such that $0\le\gamma_j\le
4048: 2^{2^{j}m}-1$ corresponds in the above meaning to a certain sequence
4049: $\mathcal Z$ described by theorem \ref{thm:WP}. In this case the answer
4050: is {\slshape yes}. Namely, the following theorem holds.
4051: \begin{thm}
4052: \label{thm:WP:AnyHalfPer}
4053: Let $m> 1$ be a rational integer, and let $\Gamma=\{\gamma_0,\gamma_1,\dots\}$
4054: be an arbitrary sequence over $\N_0$
4055: such that $\gamma_j\in\{0,1,\ldots,2^{2^jm}-1\}$ for
4056: all $j=0,1,2,\dots$. Then there exist a finite sequence
4057: $\mathcal G=\{g_0,\ldots,g_{m-1}\}$
4058: of compatible measure preserving mappings of $\Z_2$ onto itself and a
4059: $2$-adic integer $x_0\in\Z_2$ such that $\mathcal G$ satisfies conditions
4060: of theorem \ref{thm:WP}, and $\delta_j(\mathcal Z)$ satisfies \eqref{eq:num:coord}
4061: for all $j=1,2,\dots$,
4062: where the recurrence sequence $\mathcal Z=\{x_0,x_1,\ldots\in\Z_2\}$ is
4063: defined by the recurrence relation $x_{i+1}=g_{i\bmod m}(x_i)$, $(i=0,1,2,\dots)$.
4064: \end{thm}
4065: % \begin{note*}
4066: % We {\slshape do not} claim here that $\delta_0(\mathcal Z)$ satisfies \eqref{eq:num:coord}:
4067: % in general, {\slshape not every} binary sequence defined by
4068: % \eqref{eq:num:coord} with $j=0$ satisfy condition (1) of theorem \ref{thm:WP}.
4069: % For instance, take $m=3$ and $\gamma_0=5$; then \eqref{eq:num:coord} defines
4070: % a sequence $101 010 101 010\ldots$, which has period length $2$, and not
4071: % $6$. See, however, a note after the following proof of theorem \ref{thm:WP:AnyHalfPer}.
4072: % \end{note*}
4073: \begin{proof} According to \ref{ergBool},
4074: a mapping $g_i\:\Z_2\>\Z_2$ is compatble and measure preserving iff each
4075: $\delta_j(g_i(x))$ is a Boolean polynomial in Boolean veriables $\chi_0=\delta_0(x),
4076: \chi_1=\delta_1(x),\dots$ that is linear with respect to $\chi_j$, i.e.,
4077: $\delta_j(g_i(x))$
4078: could be represented as
4079: $$\delta_j(g_i(x))=\chi_j+\varphi_j^i(\chi_0,\dots,\chi_{j-1}),$$
4080: where $\varphi_j^i=\varphi_j^i(\chi_0,\dots,\chi_{j-1})$ is an arbitrary Boolean polynomial
4081: in Boolean variables $\chi_0,\dots,\chi_{j-1}$. Thus, a compatible
4082: and measure preserving mapping
4083: $g_i$ is completely determined by a sequence $\varphi_0^i,\varphi_1^i,\dots$ of
4084: corresponding Boolean polynomials. So, given a sequence $\Gamma$ we have
4085: to determine $x_0\in\N_0$ and a family $\{\varphi_j^i\: i=0,1,\ldots,m-1; j=0,1,2,\ldots\}$
4086: of Boolean functions such that the respective measure preserving mappings
4087: $g_k$ $(k=0,1,\ldots,m-1)$
4088: satisfy theorem \ref{thm:WP} and that $\delta_j(\mathcal Z)$ satisfies \eqref{eq:num:coord}
4089: for all $j=1,2,\dots$,
4090: where the recurrence sequence $\mathcal Z=\{x_0,x_1,\ldots\in\Z_2\}$ is
4091: defined by the recurrence relation $x_{i+1}=g_{i\bmod m}(x_i)$, $(i=0,1,2,\dots)$.
4092:
4093: To start with, we set $x_0=\delta_0(\gamma_0)+\delta_0(\gamma_1)\cdot 2+
4094: \delta_0(\gamma_2)\cdot 2^2+\dots\in\Z_2$. Further we describe an inductive
4095: procedure to determine $\varphi_j^i$ successively for j=0,1,2,\ldots.
4096:
4097: For $j=0$ we fix arbitrary
4098: $g_0(0)=\varphi_0^0,\dots,g_{m-1}(0)=\varphi_0^{m-1}\in\{0,1\}$ that satisfy
4099: conditions (1) and (2) of theorem \ref{thm:WP}. Note that thus we have
4100: determined all the mappings $g_i$ $(i=0,1,\dots,m-1)$ modulo 2.
4101: Note also
4102: that a recurrence sequence
4103: $\mathcal X_0=\{\xi_0^0,\xi_0^1,\dots\}$ defined by relations
4104: $\xi_0^0=x_0\bmod 2$, $\xi_{k+1}^0= g_{k\bmod m}(\xi_k^0)\bmod 2$ is
4105: a purely periodic sequence over $\Z/2=\{0,1\}$ with period length exactly
4106: $2m$, that each element of $\Z/2$ occurs at the period exactly $m$ times, and
4107: that $\xi_{k+m}^0\equiv\xi_{k}^0+1\pmod2$
4108: (see the very beginning of the proof of \ref{le:WP-odd}).
4109:
4110: Suppose that we have already determined Boolean polynomials $\varphi_j^i$
4111: for $j=0,1,\dots,n-1$, $i=0,1,\dots,m-1$ in such a way that all the members
4112: of a recurrence sequence $\mathcal X_{n-1}=\{\xi_0^{n-1},\xi_1^{n-1},\dots\}$
4113: defined by relations $\xi_{0}^{n-1}=x_0\bmod 2^n$,
4114: $\xi_{k+1}^{n-1}= g_{k\bmod m}(\xi_k^{n-1})\bmod 2^n$, satisfy a congruence
4115: $\delta_j(\xi_{k+2^{n-1}m}^{n-1})\equiv\delta_j(\xi_{k}^{n-1})+1\pmod{2}$
4116: for all
4117: $j=0,1,\dots,n-1$ and $k=0,1,2,\ldots$. Note that then
4118: easy induction on $j$ (which actually is already done during the proof
4119: of claim (3) of lemma \ref{le:WP-odd}) shows that for any $k$
4120: \begin{equation}
4121: \label{eq:WP:AnyHalfPer0}
4122: |\{\xi_{k+sm}^{n-1}\:s=0,1,\dots, 2^{n}-1\}|=2^n.
4123: \end{equation}
4124: Hence, $\mathcal X_{n-1}$ is a purely periodic
4125: sequence over $\Z/2^n$
4126: of period length exactly $2^nm$, with each element of $\Z/2^n$ occuring
4127: at the period exactly $m$ times. Now we define Boolean polynomials $\varphi_n^i$
4128: for $i=0,1,\dots,m-1$.
4129:
4130: For a Boolean polynomial $\varphi$ in Boolean
4131: variables $\chi_0,\dots,\chi_s$ and for $z\in\Z_2$ denote $\varphi(z)=
4132: \varphi(\delta_0(z),\dots,\delta_s(z))$. Proceeding with this notation,
4133: set
4134: %$\varphi_n^0(\xi_{n-1}^0)\equiv\delta_0(\gamma_n)+ \delta_1(\gamma_n)\pmod
4135: %2$,$\ldots$,
4136: \begin{equation}
4137: \label{eq:WP:AnyHalfPer1}
4138: %\varphi_n^{i\bmod m}(\xi_{n-1}^{i-1})\equiv\sum_{s=0}^{i}\delta_s(\gamma_n)\pmod2
4139: \varphi_n^{k\bmod m}(\xi^{n-1}_{k})\equiv\delta_k(\gamma_n)+\delta_{k+1}(\gamma_n)
4140: \pmod 2,
4141: %\quad (i=1,2,\dots,2^nm-1);
4142: \end{equation}
4143: for $k=0,2,\dots,2^nm-2$. Set also
4144: \begin{equation}
4145: \label{eq:WP:AnyHalfPer2}
4146: %\varphi_n^{m-1}(\xi_{n-1}^{2^nm-1})\equiv\sum_{s=1}^{2^nm-1}\delta_s(\gamma_n)
4147: \varphi_n^{m-1}(\xi^{n-1}_{2^nm-1})\equiv\delta_{2^nm-1}(\gamma_n)+\delta_0(\gamma_n)+1\pmod2.
4148: \end{equation}
4149: %for $i=0,1,2,\dots,2^nm-1$.
4150: Note that in view of \eqref{eq:WP:AnyHalfPer1} and \eqref{eq:WP:AnyHalfPer0}
4151: the Boolean functions $\varphi_n^{i}$ of $n$ variables (and
4152: whence, corresponding Boolean polynomials) for $i=0,1,\dots,m-2$ are well
4153: defined; Also, the Boolean polynomial $\varphi_n^{m-1}$ is well defined
4154: in view of \eqref{eq:WP:AnyHalfPer2},
4155: \eqref{eq:WP:AnyHalfPer1}, and \eqref{eq:WP:AnyHalfPer0}.
4156:
4157: Consider now a recurrence sequence $\mathcal E_n=\{\varepsilon_k\:k=0,1,2,\dots\}$
4158: over $\Z/2$ defined by relations $\varepsilon_0=\delta_0(\gamma_n)$,
4159: $\varepsilon_{k+1}=\varepsilon_k+\varphi_n^{k\bmod m}(\xi_k^{n-1})\pmod
4160: 2$. In view of \eqref{eq:WP:AnyHalfPer1} one has $\varepsilon_k=\delta_k(\gamma_n)$
4161: for $k=0,2,\dots,2^nm-1$, and $\varepsilon_{2^nm}\equiv\delta_0(\gamma_n)+1\pmod
4162: 2$ in view of \eqref{eq:WP:AnyHalfPer2}. Yet
4163: $\mathcal X_{n-1}$ is a purely periodic
4164: sequence over $\Z/2^n$
4165: of period length exactly $2^nm$; proceeding with this we obtain succesively
4166: in view of \eqref{eq:WP:AnyHalfPer2} and
4167: \eqref{eq:WP:AnyHalfPer1}:
4168: \begin{align*}
4169: %\label{eq:WP:AnyHalfPer3}
4170: &\varepsilon_{2^nm}\equiv\delta_0(\gamma_n)+1\pmod 2,&\ldots&,
4171: &{}&\varepsilon_{2^{n}m+(2^{n}m-1)}\equiv\delta_{2^nm-1}(\gamma_n)+1\pmod 2,\\
4172: &\varepsilon_{2\cdot 2^{n}m}\equiv\delta_{0}(\gamma_n)\pmod 2,&\ldots&,
4173: &{}&\varepsilon_{2\cdot 2^{n}m+(2^{n}m-1)}\equiv\delta_{2^nm-1}(\gamma_n)\pmod 2,\\
4174: &\varepsilon_{3\cdot 2^{n}m}\equiv\delta_{0}(\gamma_n)+1\pmod 2,&\ldots&
4175: \end{align*}
4176: Note that in view of the definition of $\varepsilon_k$ one has
4177: $$\varepsilon_{2^nm}=\delta_0(\gamma_n)+\sum_{k=0}^{2^nm-1}\varphi_n^{k\bmod
4178: m}(\xi_k^{n-1}).$$
4179: But the sum in the right hand side must be $1$ modulo $2$ since
4180: $\varepsilon_{2^nm}\equiv\delta_0(\gamma_n)+1\pmod 2$, as it was proved
4181: above. So, in view of \eqref{eq:WP:AnyHalfPer0} one has
4182: $$\sum_{k=0}^{2^nm-1}\varphi_n^{k\bmod m}(\xi_k^{n-1})\equiv
4183: \sum_{i=0}^{m-1}\sum_{\xi\in\Z/2^n}\varphi_n^{i}(\xi)\equiv 1\pmod 2. $$
4184: With the note that $\sum_{\xi\in\Z/2^n}\varphi_n^{i}(\xi)$ is just a weight
4185: of a Boolean polynomial $\varphi_n^{i}$, we conclude that an odd number of Boolean
4186: polymomials of $\varphi_n^{0},\ldots,\varphi_n^{m-1}$ must be of odd weight
4187: (cf. conditions of lemma \ref{le:WP-odd}).
4188:
4189:
4190: Now setting $\xi^n_k=\xi^{n-1}_k+2^n\cdot\varepsilon_k$
4191: for $k=0,1,2,\dots$ we obtain a sequense
4192: $\mathcal X_{n}=\{\xi_0^{n},\xi_1^{n},\dots\}$ over $\Z/2^{n+1}$
4193: such that members of $\mathcal X_{n}$ satisfy the following relations
4194: \begin{align*}
4195: &\qquad\xi_{0}^{n}=x_0\bmod 2^{n+1},\\
4196: &\qquad\xi_{k+1}^{n}= g_{k\bmod m}(\xi_k^{n})\bmod 2^{n+1},\\
4197: &\qquad\delta_j(\xi_{k+2^{n}m}^{n})\equiv\delta_j(\xi_{k}^{n})+1\pmod{2}
4198: \end{align*}
4199: for all
4200: $j=0,1,\dots,n$ and $k=0,1,2,\ldots$. Moreover, $\mathcal X_{n}$ is a purely
4201: periodic sequence with period length $2^{n+1}m$ (in view of the third of preceeding
4202: congruences, since the sequence $\mathcal X_{n-1}$ is purely periodic with period length
4203: exactly $2^nm$ by the above assumption), and each element of $\Z/2^{n+1}$
4204: occurs at the period exactly $2^{n+1}m$ times. Finally,
4205: $\delta_n(\mathcal X_{n})=\{\varepsilon_0,\varepsilon_1,\ldots\}=\frac{2^{2^{n}m}-\gamma_n}{2^{2^{n}m}+1}$.
4206:
4207: With the use of this inductive procedure we construct for $n=1,2,\ldots$
4208: well defined
4209: mappings $g_i$ modulo $2^{n+1}$ $(i=0,1,\ldots,m-1)$
4210: that are compatible and bijective modulo $2^{n+1}$; moreover, a corresponding
4211: recurrence sequence $\mathcal X_n$ defined by relation
4212: $x_{i+1}=g_{i\bmod m}(x_i)\bmod
4213: 2^{n+1}$ satisfy \eqref{eq:num:coord} for $j=1,\ldots,n$. The mappings
4214: $g_i$ satisfy condition (3) of \ref{thm:WP} for $k=1,2,\ldots,n+1$ since,
4215: as it was noted above,
4216: the odd number of Boolean
4217: polymomials of $\varphi_k^{0},\ldots,\varphi_k^{m-1}$ are of odd weight
4218: for all $k=1,2,\ldots,n$. From the definition of $g_i$ modulo 2 it follows
4219: that these mappings $g_i$ satisfy conditions (1) and
4220: (2) of \ref{thm:WP}.
4221: This completes
4222: the proof in view of the notices that were made at the very beginning of
4223: it.
4224: \end{proof}
4225: % \begin{note} No correlations among coordinate sequences on short
4226: % outputs.
4227: % \end{note}
4228: \subsection*{Distribution of $k$-tuples} In this subsection we study a
4229: distribution of overlapping binary $k$-tuples in output sequences of automata
4230: introduced above. As it was shown, an output sequence of any of these automata with
4231: output alphabet $\{0,1,2,\ldots, 2^n-1\}=\Z/2^n$ is strictly uniformly
4232: distributed as a sequence over $\Z/2^n$. That is, it is purely periodic,
4233: and each element of $\Z/2^n$
4234: occurs at the period the same number of times. However, one could consider
4235: the same sequence as a binary sequence, and ask what is a distribution
4236: of $n$-tuples in such a sequence. {\slshape Strict uniform distribution of an
4237: arbitrary sequence $\mathcal T$
4238: as a sequence over $\Z/2^n$ does not necessarily imply uniform distribution
4239: of overlapping $n$-tuples, if this sequence is considered as a binary sequence!}
4240:
4241: For instance, let $\mathcal T$ be the following strictly uniformly
4242: distributed sequence over $\Z/4$ with perid length exactly $4$:
4243: $\mathcal T=023102310231\ldots$. Then its representation as a binary sequence
4244: is $\mathcal T=000111100001111000011110\ldots$ (recall that according to
4245: our conventions in Section \ref{Prelm} we write senior bits right, and not left;
4246: i.e., $2=01$, $1=10$, etc.) Obviously, when we consider $\mathcal T$ as
4247: a sequence over $\Z/4$, then each number of $\{0,1,2,3\}$ occurs in the
4248: sequence with the same frequency $\frac{1}{4}$. Yet if we consider $\mathcal
4249: T$ as a binary sequence, then $00$ (as well as $11$) occurs in this sequence with
4250: frequency $\frac{3}{8}$, whereas $01$ (and $10$) occurs with frequency $\frac{1}{8}$.
4251: Thus, the sequence $\mathcal T$ is uniformly distributed over $\Z/4$, and
4252: it is not uniformly distributed over $\Z/2$.
4253:
4254: In this subsection we show that such an effect does not take
4255: place for output sequences of automata described in \ref{WP-even}, \ref{WP-even-trunc}, \ref{WP-odd}, \ref{le:WP-odd},
4256: and \ref{thm:WP}: {\slshape Considering any of these sequences as
4257: a binary sequence, a distribution
4258: of $k$-tuples is uniform, for all $k\le n$}. Now we state this property more formally.
4259:
4260: Consider a (binary) {\it $n$-cycle}
4261: $C=(\varepsilon_0\varepsilon_1\dots \varepsilon_{n-1})$;
4262: %over a set $\{0,1\}$};
4263: that is, an oriented
4264: graph with vertexes $\{a_0,a_1,\ldots, a_{n-1}\}$ and edges
4265: $$\{(a_0,a_1),(a_1,a_2),\ldots, (a_{n-2},a_{n-1}),(a_{n-1},a_0)\},$$
4266: where
4267: each vertex $a_j$ is labelled with $\varepsilon_j\in\{0,1\}$, $j=0,1,\dots,n-1$.
4268: (Note that then $(\varepsilon_0\varepsilon_1\dots \varepsilon_{n-1})=
4269: (\varepsilon_{n-1}\varepsilon_0\dots \varepsilon_{n-2})=\ldots$, etc.).
4270:
4271: Clearly, each purely periodic sequence $\mathcal S$ over $\Z/2$ with period
4272: $\alpha_0\ldots\alpha_{n-1}$
4273: of length $n$
4274: could be related to a binary $n$-cycle $C(\mathcal S)=(\alpha_0\ldots\alpha_{n-1})$.
4275: Conversly, to each binary $n$-cycle $(\alpha_0\ldots\alpha_{n-1})$ we could
4276: relate $n$ purely periodic binary sequences of period length $n$: They
4277: are $n$ shifted versions of the sequence
4278: $$\alpha_0\ldots\alpha_{n-1}\alpha_0\ldots\alpha_{n-1}\ldots,$$
4279: that is
4280: \begin{align*}
4281: &\alpha_1\ldots\alpha_{n-1}\alpha_0\alpha_1\ldots\alpha_{n-1}\alpha_0\ldots,\\
4282: &\alpha_2\ldots\alpha_{n-1}\alpha_0\alpha_1\alpha_2\ldots\alpha_{n-1}\alpha_0\alpha_1\ldots,\\
4283: &\ldots\qquad\ldots\qquad\ldots\\
4284: &\alpha_{n-1}\alpha_0\alpha_1\alpha_2\ldots\alpha_{n-2}\alpha_{n-1}\alpha_0\alpha_1\alpha_2\ldots\alpha_{n-2}\ldots
4285: \end{align*}
4286:
4287: Further, {\it a $k$-chain in a binary $n$-cycle}
4288: $C$ is a
4289: binary string $\beta_0\dots\beta_{k-1}$, $k<n$, that satisfies the following
4290: condition: There exists $j\in\{0,1,\ldots,n-1\}$ such that $\beta_i=\varepsilon_{(i+j)\bmod
4291: n}$ for $i=0,1,\ldots, k-1$. Thus, a $k$-chain
4292: is just a string of length
4293: $k$ of labels that corresponds to a chain of length $k$ in a graph $C$.
4294:
4295: We call a binary $n$-cycle $C$ {\it $k$-full}, if each $k$-chain
4296: occurs in the graph $C$ the same number $r>0$ of times.
4297:
4298: Clearly, if $C$ is $k$-full, then $n=2^kr$. For instance, a well-known
4299: De Bruijn sequence is an $n$-full $2^n$-cycle,
4300: %(to be more exact, a periodic
4301: %binary sequence that corresponds to this $2^n$-cycle),
4302: see e.g. \cite{MrH}
4303: for further references. Clearly enough that a $k$-full $n$-cycle is $(k-1)$-full:
4304: Each $(k-1)$-chain occurs in $C$ exactly $2r$ times, etc. Thus, if an $n$-cycle
4305: $C(\mathcal S)$ is $k$-full, then each $m$-tuple (where $1\le m\le k$) occurs in
4306: the sequence $\mathcal S$ with the same probability (limit frequency) $\frac{1}{2^m}$.
4307: That is, the sequence $\mathcal S$ is {\it $k$-distributed}, see
4308: \cite[Section 3.5, Definition D]{Knuth}.
4309: \begin{defn} A purely periodic binary sequence $\mathcal S$ with period length
4310: exactly $N$ is said to be {\it
4311: strictly $k$-distributed} iff a corresponding $N$-cycle $C(\mathcal S)$
4312: is $k$-full.
4313: \end{defn}
4314:
4315: Thus, if a sequence $\mathcal S$ is strictly $k$-distributed, then it is
4316: strictly $s$-distributed, for all positive $s\le k$.
4317:
4318: A $k$-distribution is a good ``indicator
4319: of randomness" of an infinite sequence: The larger $k$, the better the
4320: sequence, i.e., ``more random". The best case is when a sequence is $k$-distibuted
4321: for all $k=1,2,\ldots$. Such sequences are called $\infty$-distributed.
4322: Obviuosly, a periodic sequence can not be $\infty$-distributed.
4323:
4324: On the other hand, a periodic sequence is just an infinite repetition of a finite
4325: sequence, the period. A common requirement in applications is that the
4326: period length must be large, and the whole period is never used in practice. For instance,
4327: in cryptography normally a relatively small part of a period is used.
4328: So we
4329: are interested of ``how random" is a finite sequence, namely, the period.
4330: Of course, it seems very reasonable to consider a period of length $n$ as an $n$-cycle
4331: and to study a distribution
4332: of $k$-tuples in $n$-cycle; for instance,
4333: if this $n$-cycle is $k$-full, the distribution of $k$-tuples is strictly
4334: uniform. However, other approaches also exist.
4335:
4336: In \cite[Section 3.5, Definition Q1]{Knuth} there is considered the following
4337: ``indicator of randomness"
4338: of a finite sequence over a finite alphabet $A$ (we formulate the corresponding
4339: definition for $A=\{0,1\}$): A finite binary sequence
4340: $\varepsilon_0\varepsilon_1\dots \varepsilon_{N-1}$
4341: of length $N$ is said to be random, iff
4342: \begin{equation}
4343: \label{eq:Q1}
4344: \bigg|\frac{\nu(\beta_0\ldots\beta_{k-1})}{N}-\frac{1}{2^k}\bigg|\le\frac{1}{\sqrt
4345: N}
4346: \end{equation}
4347: for all $0<k\le\log_2N$, where $\nu(\beta_0\ldots\beta_{k-1})$ is the number
4348: of occurences of a binary word $\beta_0\ldots\beta_{k-1}$ in a binary word
4349: $\varepsilon_0\varepsilon_1\dots \varepsilon_{N-1}$. If a finite sequence
4350: is random in a sence of this Definition Q1 of \cite{Knuth}, we shall say
4351: that it has {\it a property} Q1, or {\it satisfies} Q1. We shall also
4352: say that an {\it infinite periodic sequence satisfy} Q1 iff its exact
4353: period satisfies Q1.
4354: Note that, constrasting to the case of strict $k$-distribution, which implies
4355: strict $(k-1)$-distribution,
4356: %$n$-cycle, where $k$-fullness implies
4357: %$(k-1)$-fullness,
4358: it is not enough to demonstrate only
4359: that \eqref{eq:Q1}
4360: holds for $k=\lfloor\log_2N\rfloor$ to prove a finite sequence of length $N$
4361: satisfies Q1:
4362: For instance, a sequence $1111111100000111$ satisfies \eqref{eq:Q1} for
4363: $k=\lfloor\log_2n\rfloor=4$, and does not satisfy \eqref{eq:Q1} for $k=3$.
4364: Note that an analogon of property Q1 for odd prime $p$ could be stated in an obvious
4365: way.
4366:
4367: Now we are able to state the following
4368: \begin{thm}
4369: \label{thm:distr}
4370: Let a sequence $\mathcal Z$ over $\Z/2^n$ be any of output sequences of
4371: wreath products of automata {\rm(described in \ref{WP-even}, \ref{WP-even-trunc}, \ref{WP-odd}, \ref{le:WP-odd},
4372: and \ref{thm:WP}; hence $\mathcal Z$ is a purely periodic sequence
4373: of period length $2^n\ell$, where $\ell=2^m$ for wreath products described
4374: by \ref{WP-even} or \ref{WP-even-trunc}, and $\ell=m$ otherwise)} or, in
4375: particular, of a congruential generator of a maximum period length {\rm(this
4376: corresponds to the case $\ell=m=1$)}. Let $\mathcal Z^\prime$ be a
4377: binary representation of $\mathcal Z$ {\rm (hence $\mathcal Z^\prime$ is
4378: a purely periodic binary sequence of period length exactly $2^n\ell n$)}.
4379: Then
4380: %$(2^n\ell n)$-cycle $C(\mathcal Z^\prime)$ is $n$-full; thus
4381: the sequence $\mathcal Z^\prime$ is strictly $n$-distributed.
4382:
4383: Moreover, if $\mathcal Z^\prime$ is a binary output sequence of a
4384: congruential generator of a maximum period length, then this sequence satisfies
4385: {\rm Q1}.
4386: \end{thm}
4387: \begin{proof} The sequence $\mathcal Z=z_0z_1\ldots$
4388: is a recurrence sequence over $\{0,1,\ldots,n-1\}$ that satisfy the following
4389: recurrence relation:
4390: $$z_{i+1}=f_i(z_i)\bmod 2^n \qquad (i=0,1,2,\ldots),$$
4391: where $f_i$ is compatible and measure preserving mapping of $\Z_2$ onto itself. Here
4392: and further in the proof we assume that subscript $i$ of $f$ is always
4393: reduced
4394: modulo $\ell$ for $\ell>1$ and is empty symbol for $\ell=1$ (the latter
4395: case corresponds to congruential generator of a maximum period length with
4396: state transition function $f\bmod 2^n$, where $f$ is ergodic). Let
4397: $\mathcal Z^\prime=\zeta_0\zeta_1\ldots$ be a binary representation of
4398: the sequence $\mathcal Z$. Take
4399: an arbitrary binary word $\mathbf b=\beta_0\beta_1\ldots\beta_{n-1}$, $\beta_j\in\{0,1\}$,
4400: and for $k\in\{0,1,\ldots, n-1\}$ denote
4401: $$\nu_k(\mathbf b)=|\{r\: 0\le r<2^n\ell n;
4402: \ r\equiv k\pmod n;\
4403: \zeta_r\zeta_{r+1}\ldots\zeta_{r+n-1}=\beta_0\beta_1\ldots\beta_{n-1}\}|$$
4404: Obviously, $\nu_0(\mathbf b)$ is the number of occurences of a rational
4405: integer $z$ with base-$2$ expansion $\beta_0\beta_1\ldots\beta_{n-1}$ at
4406: the exact period of the sequence $\mathcal Z$. Hence, $\nu_0(\mathbf b)=\ell$
4407: since the sequence $\mathcal Z$ is strictly uniformly distributed modulo
4408: $2^n$. Now consider $\nu_k(\mathbf b)$ for $0<k<n$.
4409:
4410: Fix $k\in\{1,2\ldots,n-1\}$ and let $r=k+tn$. As all $f_i$ are compatible, then
4411: $\zeta_r\zeta_{r+1}\ldots\zeta_{r+n-1}=\beta_0\beta_1\ldots\beta_{n-1}$
4412: holds if and only if the following two relations hold simultaneously:
4413: \begin{align}
4414: \label{eq:distr1}
4415: &\zeta_{tn+k}\zeta_{tn+k+1}\ldots\zeta_{tn+n-1}=\beta_0\beta_1\ldots\beta_{n-k-1}
4416: \\ \label{eq:distr2}
4417: &f_{t}(\overline{\zeta_{tn}\zeta_{tn+1}\ldots\zeta_{tn+k-1}})\equiv
4418: \overline{\beta_{n-k}\beta_{n-k+1}\ldots\beta_{n-1}}\pmod{2^k}.
4419: \end{align}
4420: Here $\overline{\gamma_0\gamma_1\ldots\gamma_s}=\gamma_0+\gamma_1\cdot
4421: 2+\dots+\gamma_s\cdot 2^s$ for $\gamma_0,\gamma_1,\ldots,\gamma_s\in\{0,1\}$
4422: is a rational integer with base-$2$ expansion $\gamma_0\gamma_1\ldots\gamma_s$.
4423:
4424: We consider a case $\ell=1$ first; so $f_{t}=f$. Then for a given
4425: $\mathbf b=\beta_0\beta_1\ldots\beta_{n-1}$
4426: congruence \eqref{eq:distr2} has exactly one solution
4427: $\overline{\alpha_0\alpha_1\dots\alpha_{k-1}}$ modulo $2^k$, since
4428: $f$
4429: is ergodic, whence, bijective modulo $2^k$.
4430: Thus,
4431: in view of \eqref{eq:distr1} and \eqref{eq:distr2} we conclude that
4432: $\zeta_r\zeta_{r+1}\ldots\zeta_{r+n-1}=\beta_0\beta_1\ldots\beta_{n-1}$
4433: holds if and only if
4434: \begin{equation}
4435: \label{eq:distr3}
4436: \zeta_{s}\zeta_{s+1}\ldots\zeta_{s+n-1}=
4437: \alpha_0\alpha_1\dots\alpha_{k-1}\beta_0\beta_1\ldots\beta_{n-k-1},
4438: \end{equation}
4439: where $s=tn$. Yet there
4440: exists exactly one
4441: $s\equiv 0\pmod n$, $0\le s< 2^nn$ such that \eqref{eq:distr3} holds,
4442: %and \eqref{eq:distr2} hold simultaneously,
4443: %since , as , and
4444: since every element of
4445: $\Z/2^n$ occurs at the period of $\mathcal Z$ exactly once. We conclude
4446: now that
4447: if $\ell=1$ then
4448: $\nu_k(\mathbf b)=1$ for all $k\in\{0,1,\ldots, n-1\}$; thus, $\nu(\mathbf b)=
4449: \sum_{j=0}^{n-1}\nu_j(\mathbf b)=n$ for all $\mathbf b$. This means that
4450: $(2^nn)$-cycle
4451: $C(\mathcal Z^{\prime})$ is $n$-full, whence, the sequence $\mathcal Z^{\prime}$
4452: is strictly $n$-distributed.
4453:
4454: A similar argument is applied to the case $\ell>1$. Namely,
4455: %let $tn=j\bmod
4456: %\ell$, then
4457: for a given $j\in\{0,1,\ldots,\ell-1\}$ consider those $r=k+tn<2^n\ell
4458: n$ where $t\equiv j\pmod \ell$ and denote
4459: $$\nu_k^j(\mathbf b)=|\{r\: 0\le r<2^n\ell n;
4460: \ r=k+tn;\ t\equiv j\pmod\ell;\
4461: \zeta_r\zeta_{r+1}\ldots\zeta_{r+n-1}=\mathbf b\}|.$$
4462: Now $\zeta_r\zeta_{r+1}\ldots\zeta_{r+n-1}=\beta_0\beta_1\ldots\beta_{n-1}$
4463: holds if and only if \eqref{eq:distr3} holds, where
4464: $\overline{\alpha_0\alpha_1\dots\alpha_{k-1}}$ is a unique solution of
4465: congruence \eqref{eq:distr2} modulo $2^k$. This solution exists since all
4466: $f_j$ are measure preserving, see theorem \ref{thm:WP}. Yet \eqref{eq:distr3}
4467: is equivalent to the condition
4468: $$z_t=\overline{\alpha_0\alpha_1\dots\alpha_{k-1}\beta_0\beta_1\ldots\beta_{n-k-1}},$$
4469: where $t\in\{j,j+\ell,\ldots,j+(2^n-1)\ell\}$. But in view of claim (3) of
4470: lemma \ref{le:WP-odd} for a given
4471: $\overline{\alpha_0\alpha_1\dots\alpha_{k-1}\beta_0\beta_1\ldots\beta_{n-k-1}}$
4472: there exist exactly one $t\in\{j,j+\ell,\ldots,j+(2^n-1)\ell\}$ such that the
4473: latter equality holds. So we conclude that $\nu_k^j(\mathbf b)=1$, hence
4474: $\nu_k(\mathbf b)=\sum_{j=0}^{\ell-1}\nu_k^j(\mathbf b)=\ell$, and finally
4475: $\nu(\mathbf b)=
4476: \sum_{k=0}^{n-1}\nu_k(\mathbf b)=n\ell$ for all $\mathbf b$.
4477: This completes the proof of the first assertion of the theorem.
4478:
4479: To prove the second assertion note that we return to the case $\ell=1$;
4480: hence, in view of the first assertion every $m$-tuple
4481: for $1\le m\le n$ occurs at the $2^nn$-cycle $C(\mathcal Z^\prime)$ exactly
4482: $2^{n-m}n$ times. Thus, every such $m$-tuple occurs $2^{n-m}n-c$ times
4483: at the finite binary sequence
4484: $\hat{\mathcal Z}=\hat z_0\hat z_1\ldots\hat z_{2^n-1}$, where
4485: $\hat z$ for $z\in\{0,1,\ldots,2^n-1\}$ is an $n$-bit sequence that agrees
4486: with base-$2$ expansion of $z$. Note that $c$ depends on the $m$-tuple, yet
4487: $0\le c\le m-1$ for every $m$-tuple. Easy algebra shows that \eqref{eq:Q1}
4488: holds for these $m$-tuples.
4489:
4490: Now to prove that $\mathcal Z^\prime$ satisfies Q1
4491: we have only to demonstrate that \eqref{eq:Q1} holds for $m$-tuples with
4492: $m=n+d$, where $0<d\le\log_2n$. We claim that such an $m$-tuple occurs at
4493: the sequence $\hat{\mathcal Z}$ not more than $n$ times.
4494:
4495: Indeed, in this case
4496: $\zeta_r\zeta_{r+1}\ldots\zeta_{r+n+d-1}=\beta_0\beta_1\ldots\beta_{n+d-1}$
4497: holds iff besides the two relations \eqref{eq:distr1} and \eqref{eq:distr2} the following
4498: extra congruence holds:
4499: $$f(\overline{\zeta_{tn}\zeta_{tn+1}\ldots\zeta_{tn+k-1}\beta_0\beta_1\ldots\beta_{d-1}})
4500: \equiv
4501: \overline{\beta_{n-k}\beta_{n-k+1}\ldots\beta_{n+d-1}}\pmod{2^{k+d}},$$
4502: where $k=r\bmod n$. Yet this extra congruence may or may not have a solution
4503: in unknowns $\zeta_{tn},\zeta_{tn+1},\ldots,\zeta_{tn+k-1}$; this depends on $\beta_0\beta_1\ldots\beta_{n+d-1}$.
4504: But if such a solution exists, it is unique for a given $k\in\{0,1,\ldots,n-1\}$, since $f$
4505: is ergodic, whence, bijective modulo $2^s$ for all $s=1,2,\ldots$.
4506: This proves our claim. Now easy exercise in inequalities shows that \eqref{eq:Q1}
4507: holds in this case, thus completing the proof of the theorem.
4508: \end{proof}
4509: \begin{note}
4510: \label{note:distr}
4511: The first asssertion of theorem \ref{thm:distr} remains true for {\it wreath
4512: products of truncated automata}, i.e. for the sequence $\mathcal F$ of corollary
4513: \ref{cor:WP}, where $F_j(x)=\big\lfloor\frac{x}{2^{n-k}}\big\rfloor\bmod 2^k$,
4514: $j=0,1,\ldots,\ell-1$, a truncation of $n-k$ low order bits. Namely, {\it
4515: a binary representation $\mathcal F^\prime$ of the sequence $\mathcal F$
4516: is a purely periodic strictly $k$-distributed binary sequence of period
4517: length exactly $2^n\ell k$.}
4518:
4519:
4520: The second assertion of theorem \ref{thm:distr} holds for arbitrary prime
4521: $p$. Namely, {\it a base-$p$ representation of an output sequence
4522: of a congruential generator over $\Z/p^n$
4523: of a maximum period length is strictly $n$-distributed sequence over $\Z/p$
4524: of period length exactly $p^nn$, which satisfies Q1}.
4525: %$\mathcal A=\langle
4526: %\Z/p^n,\Z/p^n,f\bmod p^n,
4527:
4528: Moreover, the first assertion of \ref{thm:distr} holds
4529: for truncated congruential generators with output
4530: function $F(x)=\big\lfloor\frac{x}{p^{n-k}}\big\rfloor\bmod p^k$. Namely, {\it
4531: a base-$p$
4532: representation of an output sequence of a truncated congruential generator
4533: over $\Z/p^n$ of a maximum period length is a purely periodic strictly $k$-distributed
4534: sequence over $\Z/p$ of period length exactly $p^nk$}.
4535:
4536: The second assertion for this generator holds whenever $2+p^k>kp^{n-k}$;
4537: thus, {\it one could truncate $\le\big(\frac{n}{2}-\log_p\frac{n}{2}\big)$ lower order digits
4538: %could be truncated
4539: without affecting property Q1}.
4540: %Truncation of wreath products. Arbitrary $p$.
4541:
4542: All these statements could be proved by slight modifications of the
4543: proof of theorem \ref{thm:distr}. We omit details.
4544: \end{note}
4545:
4546:
4547:
4548:
4549: %However, intuitively a ``randomly looking" sequence must have uniform
4550:
4551:
4552: \section
4553: %{On predictability of congruential generators}
4554: {Some cryptanalysis}
4555: \label{sec:Predict}
4556: A main goal of this section is to demonstrate
4557: that with the use of constructions described in Section \ref{sec:Constr}
4558: it is possible to design stream ciphers such that the problem of their
4559: key recovery is intractable up to some plausible conjectures.
4560:
4561: % Also we introduce
4562: % a network protocol to guarantee that segments of output sequence used by
4563: % network subscribers do not overlap. Finally we discuss a two-stage encryption
4564: % scheme such that all its parameters (initial state, state transition function
4565: % and output function) are key-dependent. Moreover, this sceme modifies itself
4566: % dynamically during encryption without affecting important cryptographic
4567: % characteristics that were studied above (length of a period, linear and
4568: % $2$-adic complexity, distribution of $k$-tuples.
4569: %
4570:
4571: % that are provably strong against
4572: % some
4573: % attacks. Also we will give some evidence (and not a proof) that senior coordinate
4574: % sequences are, generally speaking, not predictable in polynomial on key
4575: % length time. Note that today there are no unconditional
4576: % proofs of unpredictability of a sequence produced by a polynomial-time
4577: % generator.
4578: %\subsection*{Key recovery}
4579: Consider a ``known plaintext" attack. That is, a cryptanalyst obtains
4580: a plaintext and a corresponding encrypted text and tries to recover a key.
4581: Since the encryption with
4582: stream cipher is just bitwise XORing of a plaintext with a binary
4583: output sequence of a generator, a cryptanalyst obtains an output sequence
4584: and try to recover a key. Note that the constructions we considered above
4585: enables one to make both the initial state, state transition function and
4586: output function to be key-dependent, so in general a cryptanalst has to
4587: recover a key from a known recurrence sequence $\{y_s,y_{s+1},\ldots\}$
4588: that corresponds to the recurrence law $x_{i+1}=f_i(x_i)\bmod 2^n$,
4589: $y_{i+1}=g_i(x_i)$. Thus, in general a cryptoanalyst has to recover an
4590: initial state $x_0$, a family of state transition functions $\{f_j\}$,
4591: a family of output functions $\{g_j\}$, and the order these state transition
4592: and output functions
4593: are used while producing the output sequence.
4594: %, knowing only that, say, all
4595: %output
4596: %functions are equiprobable, state transition functions are measure preserving
4597:
4598: Of course, an analysis in such a general form is senseless. On the one
4599: hand it is obvious that
4600: nothing can be recovered in case $f_i$ and $g_i$ are arbitrary mappings
4601: that satisfy conditions of \ref{cor:WP}, and no extra information is known
4602: to a cryptoanalyst.
4603: On the other hand, it is obvious that there exist degenerate cases
4604: that everything can be easily recovered even without extra information
4605: available.
4606:
4607: %Consider an example of such a degenerate
4608: %case:
4609: For instance, let $m=4k-1$; put $f_i(x)=x+1$ if $i\in\{0,1,\ldots,m-1\}$ is odd, and
4610: put $f_i(x)=1\oplus(x+1)$ for even $i\in\{0,1,\ldots,m-1\}$. Let
4611: all $g_i=\lfloor\frac{x}{2}\rfloor\bmod 2^n$ be truncations of the least significant
4612: bit. Note that this case satisfies conditions of \ref{cor:WP}; thus, the
4613: corresponding output sequence modulo $2^n$ is purely periodic of period
4614: length $2^nm$, and each element of $\Z/2^n$ occurs at the period exactly
4615: twice. Yet the structure of the output sequence is so specific (exact description
4616: of it could easily be obtained by a reader) that it is absolutely no problem
4617: to break such a scheme.
4618:
4619: Thus, one can say nothing definite on how strong
4620: are generators considerd in the paper against even a single attack without
4621: considering a concrete scheme. We are not going to study concrete schemes in
4622: this paper, yet we demonstrate by a corresponding example that among the
4623: generators we study there exist ones that are provably strong
4624: against certain attacks, say, against a known plaintext attack.
4625:
4626: To describe such an example we have to make some preliminary assumptions.
4627: Choose
4628: (randomly and independently) $k$ Boolean polynomials
4629: $$\psi_i(\chi_0,\ldots,\chi_{n-1}) \qquad (i=0,1,\ldots,k-1)$$
4630: in $n$ Boolean variables $\chi_0,\ldots,\chi_{n-1}$ each, such that the
4631: number of non-zero monomials in each $\psi_i$ is a polynomial in $n$ ($k$
4632: could
4633: be fixed, or could be a polynomial in $n$ either). Consider
4634: a mapping $F\:\Z/2^n\>\Z/2^k$ defined by
4635: $$F(\chi_0,\ldots,\chi_{n-1})=\psi_0(\chi_0,\ldots,\chi_{n-1})+\dots
4636: +\psi_{k-1}(\chi_0,\ldots,\chi_{n-1})2^{k-1},$$
4637: where $\chi_j=\delta_j(x)$ for $x\in\Z/2^n$. We conjecture that {\slshape
4638: this function $F$ could be considered as one-way}, that is,
4639: %for a given
4640: %$z$
4641: one could invert it (i.e., find an $F$-preimage in case it exists)
4642: %find any solution of $F(x)=z$
4643: only with negligible in $n$
4644: probability. Note that to
4645: find any $F$-preimage, i.e. to solve an equation $F(x)=y$ in unknown $x$
4646: one has to solve a system of $k$ Boolean equations in $n$ variables.
4647: However, {\slshape to determine whether a given system of $k$ Boolean polynomials
4648: in $n$ variables have a common zero is an $NP$-complete problem},
4649: see e.g. \cite[Appendix
4650: A, Section A7.2, Problem ANT-9]{GJ}. So, at our view, the conjecture that
4651: the function $F$ is one-way is as plausible as the one concerning any other
4652: ``candidate to one-wayness" (for the short list of the latter see e.g.
4653: \cite{Gold}): Nobody today can solve a system of Boolean equations even
4654: if it is known that a solution exists (unless the system is of some special
4655: form).
4656:
4657: Proceeding with this plausible conjecture,
4658: to each Boolean polynomial $\psi_i$, $i=0,1,2,\ldots,k-1$
4659: we relate a mapping $\Psi_i\:\Z_2\>\Z_2$
4660: in the following way: $\Psi_i(x)=\psi_i(\delta_0(x),\ldots,\delta_{n-1}(x))\in\{0,1\}
4661: \subset\Z_2$.
4662: % Substitute $\oplus$ (i.e., $\XOR$) for $+$, $\odot$ (i.e.,
4663: % $\AND$) for $\cdot$, and $\delta_j(x)$ for $\chi_j$, $j=0,1,\ldots,
4664: % n-1$, e.g., to $\psi=1+\chi_0+\chi_0\chi_1$ we associate $h(x)=1\oplus(\delta_0(x))
4665: % \oplus(\delta_0(x)\odot\delta_1(x))$. Thus, $h_i$ is well defined, $h_i(\Z_2)\subset
4666: % \{0,1\}$.
4667: Now to each above mapping $F$ we relate a mapping
4668: $$f_F(x)=(1+x)\oplus(2^{n+1}\Psi_0(x)+2^{n+2}\Psi_1(x)+\dots+ 2^{n+k}\Psi_{k-1}(x))$$
4669: of $\Z_2$ onto itself.
4670:
4671: By the way, despite it is not very important, note that this mapping is a
4672: composition of bitwise logical and arithmetic operations: To a monomial
4673: $\chi_{r_1}\cdots\chi_{r_s}$, where $r_1,\ldots,r_s\in\{0,1,\ldots,n-1\}$,
4674: $r_1<\ldots<r_s$ we relate a binomial coefficient $\binom{x}{2^{r_1}+\cdots+ 2^{r_s}}$,
4675: then to a Boolean polynomial we relate a sum of corresponding binomial
4676: coefficients. For instance, to the Boolean polynomial $\psi=1+\chi_0+\chi_0\chi_1+
4677: \chi_1\chi_3$
4678: we relate an integer valued polynomial $1+x+\binom{x}{3}+\binom{x}{10}$.
4679: Since
4680: $$\binom{x}{2^{r_1}+\cdots +2^{r_s}}\equiv \delta_{r_1}(x)\cdots\delta_{r_s}(x)\pmod
4681: 2$$
4682: in view of Lucas' congruence\footnote{$\binom{n}{m}\equiv\binom{n_0}{m_0}\cdots
4683: \binom{n_s}{m_s}\pmod p$, where $n=n_0+\cdots+n_sp^s$, $m=m_0+\cdots+m_sp^s$
4684: are base-$p$ expansions of, respectively, $n$ and $m$; $p$ prime.}, $\Psi_j(x)\equiv P_j(x)\pmod 2$, where $P_j(x)$
4685: is a polynomial over a field of rational integers $\Q$
4686: that corresponds to the Boolean polynomial $\psi_j$
4687: in the above sence. Thus, $\Psi_j(x)=P_j(x)\AND 1$, and the result follows.
4688:
4689:
4690:
4691:
4692: Clearly,
4693: $$
4694: \delta_j(f_F(x))=\begin{cases}
4695: 1\oplus\delta_0(x),\qquad\text{if $j=0$;}\\
4696: \delta_j(x)\oplus\delta_0(x)\cdots\delta_{j-1}(x),\qquad\text{if $0<j\le n$;}\\
4697: \delta_j(x)\oplus\delta_0(x)\cdots\delta_{j-1}(x)\oplus
4698: \psi_{j-n-1}(\delta_0(x),\dots,\delta_{n-1}(x)),\text{otherwise.}
4699: %$n\le j\le n+k-1$.}
4700: \end{cases}$$
4701: In view of \ref{ergBool} the mapping $f_F\:\Z_2\>\Z_2$ is compatible and
4702: ergodic for any choice of Boolean polynomials $\psi_0,\ldots,\psi_{k-1}$.
4703:
4704: Consider a truncated congruential generator
4705: $$\mathfrak F=\langle\Z/2^{n+k+1},\Z/2^k,f_F\bmod 2^{n+k+1},g, x_0\rangle,$$
4706: where
4707: %For $i=0,1,\ldots,m-1$ put
4708: %$f_i(x)=(1+x)\oplus($
4709: $g(x)=\lfloor\frac{x}{2^{n+1}}\rfloor\bmod2^k$, a truncation of $n+1$ low
4710: order bits of $x$. Since the state transition function is transitive and
4711: the output function is equiprobable, the output sequence of this generator
4712: is purely periodic with period length exactly $2^{n+k+1}$, and each element
4713: of $\Z/2^k$ occurs at the period exactly $2^{n+1}$ times.
4714:
4715: Let $x_0\in\{0,1,\ldots,2^n-1\}$ be a key; in other words, the key length
4716: of a stream cipher is $n$, and we always take a key $z\in\{0,1,\ldots,2^n-1\}$
4717: as an initial state (a seed). Thus, senior $k+1$ bits of an initial state are
4718: always zero. The key $z$ is the only information that is not known to a
4719: cryptanalyst. Everything else, i.e., $n$, $k$, $f_F$, and $g$ are known,
4720: as well as the first $m$ members of the output sequence $\{y_i\}$ of the automaton.
4721:
4722: % Thus,
4723: % \begin{align*}
4724: % &y_{i}=\Psi_0(x_{i})+2\Psi_1(x_{i})+\dots+ 2^{k-1}\Psi_{k-1}(x_{i});\\
4725: % &x_{i+1}=f_F(x_i)\bmod 2^{n+k+1}.
4726: % \end{align*}
4727:
4728: Since $\delta_0(x)\cdots\delta_{j-1}(x)=1$ iff $x\equiv -1\pmod
4729: {2^j}$, the first $m$ members of the output sequence with probability $1-\epsilon$
4730: (where $\epsilon$ is negligible if $m$ is a polynomial in $n$) are:
4731: \begin{align*}
4732: &y_{0}=\Psi_0(z)+2\Psi_1(z)+\dots+ 2^{k-1}\Psi_{k-1}(z)=F(z);\\
4733: &\ldots\ \ldots\ \ldots\ \ldots\ \ldots\ \ldots\ \ldots\ \ldots\ \ldots\\
4734: &y_{m-1}=\Psi_0(z+m-1)+\dots+ 2^{k-1}\Psi_{k-1}(z+m-1)=F(z+m-1).
4735: \end{align*}
4736: To find $z$ a cryptanalist may solve any of the above equations; he could
4737: do it with negligible probability of success, since $F$ is one-way. On
4738: the other hand, an assumption that a cryptanalist could find $z$ with non-negligible probability
4739: means that he could invert $F$ with non-negligible probability
4740: (see the first of the above equations). This contradicts our conjecture
4741: that $F$ is one-way. Thus, the problem of key recovery of this scheme is
4742: intractable up to the conjecture that $F$ is one-way.
4743: \begin{note*} This construction could be extended to counter-dependent generators
4744: in an obvious way. We also note that the restriction the state transition
4745: function of the above generator is $1+x$ modulo $2^{n+1}$
4746: %(as well as that $\psi $
4747: is imposed
4748: only to make the idea of the construction more transparent:
4749: It is possible to construct a corresponding
4750: stream cipher, which is provably secure against a known plaintext attack,
4751: without this assumption.
4752: \end{note*}
4753:
4754: \begin{thebibliography}{99}
4755: %\nofrills
4756: %\centerline{\bf Список литературы}
4757:
4758:
4759: \bibitem{KN}
4760: L. Kuipers, H. Niederreiter.
4761: {\it Uniform Distribution of Sequences\/},
4762: John Wiley \& Sons, N.Y., etc.
4763: 1974
4764:
4765:
4766:
4767: \bibitem{Knuth}
4768: D. Knuth.
4769: {\it The Art of Computer Programming.
4770: Vol. 2:
4771: Seminumerical Algorithms\/}, (Third edition)
4772: Addison-Wesley, Reading M.A.
4773: 1998.
4774:
4775:
4776: \bibitem{Mah}
4777: Mahler K.
4778: {\it $p$-adic numbers and their functions\/}
4779: (2nd edition)
4780: Cambridge Univ. Press,
4781: Cambridge:
4782: 1981.
4783:
4784:
4785:
4786: % \key 4
4787: % \by Alperin R. C.
4788: % \paper $p$-adic binomial coefficients $\bmod P$
4789: % \jour The Amer. Math. Month
4790: % \yr 1985
4791: % \vol V. 92
4792: % \issue 8
4793: % \pages P. 576--578
4794: % \endref
4795: %
4796: %
4797: % \key 5
4798: % \by Hall R. R.
4799: % \paper On pseudo-polynomials
4800: % \jour Arch. Math
4801: % \yr 1971
4802: % \vol V. 18
4803: % \pages P. 71--77
4804: % \endref
4805: % ref
4806: % \key 6
4807: % \by
4808: % \endref
4809: %
4810:
4811: \bibitem{Kobl}
4812: N. Koblitz.
4813: {\it $p$-adic numbers, $p$-adic analysis, and
4814: zeta-functions.}
4815: Springer-Verlag,
4816: New York, etc.
4817: 1977
4818:
4819:
4820:
4821:
4822: \bibitem{Bri-Od}
4823: E. F. Brickell, A. M. Odlyzko
4824: `Cryptanalysis: A Survey of Recent Results',
4825: {\it Proc. IEEE \/},{\bf 76}
4826: (1988), No 5, 578--593.
4827:
4828:
4829: %
4830: % \key 8
4831: % \by Lausch H., N{\"o}bauer W.
4832: % \book Algebra of polynomials
4833: % \publ North-Holl. Publ. Co,
4834: % \publaddr Amsterdam:
4835: % \yr 1973
4836: % \endref
4837: %
4838: %
4839: % \key 9
4840: % \by Kaiser H. K., N{\"о}bauer W.
4841: % \paper Permutation polynomials
4842: % in several variables over residue class rings
4843: % \jour J. Austral. Math. Soc
4844: % \vol V. A43
4845: % \yr 1987
4846: % \pages P. 171--175
4847: % \endref
4848: %
4849: %
4850: % \key 10
4851: % \by Юров И. А.
4852: % \paper О $p$-адических функциях, сохраняющих меру Хаара
4853: % \jour Матем. заметки
4854: % \yr 1998
4855: % \vol Т. 63
4856: % \issue 6
4857: % \pages С. 935--950
4858: % %\lang Russian
4859: % \endref
4860: %
4861:
4862: \bibitem{me-1}
4863: V. S. Anashin
4864: `Uniformly distributed sequences over $p$-adic integers',
4865: {\it Mat. Zametki\/}, {\bf 55} (1994), No 2, 3--46
4866: (in Russian; English transl. in
4867: {\it Mathematical Notes}, {\bf 55},(1994), No 2,
4868: 109--133.)
4869:
4870:
4871:
4872: \bibitem{me-conf}
4873: Anashin V. S.
4874: `Uniformly distributed sequences over $p$-adic integers',
4875: {\it Number theoretic and algebraic methods in computer science.
4876: Proceedings of the Int'l Conference (Moscow, June--July, 1993)\/}
4877: (A. J. van der Poorten, I. Shparlinsky and H. G. Zimmer, eds.),
4878: World Scientific, 1995, 1--18.
4879: %\endref
4880:
4881: %
4882: \bibitem{Riv}
4883: Rivest R.
4884: `Permutation polynomials modulo $2^w$'
4885: {\it Finite fields and appl.}
4886: %Finite fields and appl.
4887: {\bf 7} (2001),
4888: %\vol 7
4889: No 2,
4890: pp. 287--292
4891: % \toappear
4892: % \endref
4893: %
4894: %
4895: % \key 14
4896: % \by Anashin V. S.
4897: % \paper Uniformly distributed sequences over $p$-adic integers $\ldots$
4898: % %with application to nonlinear congruential generators
4899: % \inbook In: Number theoretic and algebraic methods in computer science
4900: % \bookinfo (Conference abstracts. Moscow, 29 June--2 July, 1993)
4901: % \publ Int'l Centre for Sci. and Tech. Information,
4902: % \publaddr Moscow:
4903: % \yr 1993
4904: % \pages P. 6 -- 8
4905: % \endref
4906: %
4907:
4908: \bibitem{Lar}
4909: M. V. Larin
4910: %`Транзитивные полиномиальные преобразования колец вычетов',
4911: `Transitive polynomial transformations of residue class rings'
4912: {\it Diskret. Mat.} {\bf 14}(2002), No 2, pp. 20--32 (Russian)
4913: %\vpechati
4914: %\lang Russian
4915: %\endref
4916:
4917:
4918: \bibitem{Kl-Gor}
4919: Klapper A., Goresky M.
4920: `Feedback shift registers, $2$-adic span, and combiners with memory',
4921: {\it J. Cryptology\/}, {\bf 10}
4922: (1997),
4923: 111--147.
4924:
4925:
4926:
4927: \bibitem{me-ex}
4928: Anashin V. S.
4929: `Uniformly distributed sequences in computer algebra, or how to construct
4930: program generators of random numbers',
4931: {\it J. Math. Sci.\/} (Plenum Publishing Corp.,
4932: New York),
4933: {\bf 89} (1998),
4934: No 4,
4935: 1355 -- 1390.
4936:
4937:
4938: % \bibitem{Schn}
4939: % Schneier B.
4940: % {\it Applied Cryptography\/},
4941: % John Wiley and Sons,
4942: % 1996.
4943: %
4944: %
4945: % \key 19
4946: % \book\nofrills Введение в криптографию
4947: % \bookinfo /Под общ. ред. Ященко В. В
4948: % \publ МЦНМО -- ЧеРо,
4949: % \publaddr М.:
4950: % \yr 1996
4951: % \endref
4952: %
4953:
4954: \bibitem{Menz}
4955: Menezes A., van Oorshot P., Vanstone S.
4956: {\it Handbook of Applied Cryptography\/},
4957: CRC Press,
4958: 1996.
4959:
4960:
4961: \bibitem{ShTs}
4962: Shamir A., Tsaban B.
4963: {\it Guaranteeing the diversity of number generators.\/}
4964: Available from
4965: \href{http: //arXiv.org/ abs/ cs.CR/ 0112014}%%При включенном hyperref включить
4966: %для создания гиперссылки!!!
4967: {http: //arXiv.org/ abs/ cs.CR/ 0112014}
4968:
4969:
4970: \bibitem{Kr}
4971: Krawczuk H.
4972: `How to predict congruential generators',
4973: {\it J. Algorithms\/},
4974: {\bf 13} (1992),
4975: No 4,
4976: 527--545.
4977:
4978: %
4979: % \key 23
4980: % \by Niederreiter H., Shparlinsky I.
4981: % \paper On the distribution of inversive congruential pseudorandom numbers in parts
4982: % of the period
4983: % \jour Math. Comput
4984: % \vol V. 70
4985: % \issue 236
4986: % \pages P. 1569--1574
4987: % \yr 2000
4988: % \endref
4989: %
4990:
4991: \bibitem{Brent}
4992: Brent R. P.
4993: `Factorization of the tenth Fermat number'
4994: {\it Math. Comput.\/}
4995: {\bf 68}
4996: (1999),
4997: No 225.
4998:
4999: \bibitem{me-2}
5000: V. S. Anashin.
5001: `Uniformly distributed sequences of $p$-adic integers, II',
5002: %V.S.Anashin,
5003: %Uniformly distributed sequences of p-adic integers.
5004: (Russian)
5005: {\it Diskret. Mat.} {\bf 14} (2002), no. 4, 3--64;
5006: English translation in {\it Discrete Math. Appl.} {\bf 12} (2002), no. 6,
5007: 527--590.
5008: A preprint in English available from
5009: \href{http://arXiv.org/math.NT/0209407}%%При включенном hyperref включить
5010: %для создания гиперссылки!!!
5011: {http://arXiv.org/math.NT/0209407}
5012:
5013: \bibitem{LinRec}
5014: G. Everest, A. van der Poorten, I. Shparlinsky. {\it Recurrence Sequences},
5015: American Mathematical Society Surveys, Vol. 104, 2003.
5016:
5017: %G. Everest, A. van der Poorten, I. Shparlinsky, T. Ward. {\it Exponential functions, linear
5018: %recurrence sequences, and their applications}.
5019:
5020: % \bibitem{Mau}
5021: % Maurer universal test
5022: %
5023: % \bibitem{Art}
5024: % J.C. Hern\'andes, J.M. Sierra, C. Mex-Perera, D. Borrajo, A. Ribagorda,
5025: % and P. Isasi.{\it Using the general next bit predictor as evaluation criteria}.
5026: % Available from
5027: % %\href{http://www.cosic.esat.kuleuven.ac.be/nessie/submissions.html}%%При включенном hyperref включить
5028: % %для создания гиперссылки!!!
5029: % {http://www.cosic.esat.kuleuven.ac.be/nessie/submissions.html}
5030: %
5031: % \bibitem{NIST}
5032: % NIST tests
5033:
5034: \bibitem{RC6}
5035: R. Rivest, M. Robshaw, R. Sidney, and Y. L. Yin. {\it The RC6 block cipher }.
5036: Available from
5037: \href{http://www.rsa.com/rsalabs/rc6/}%%При включенном hyperref включить
5038: %для создания гиперссылки!!!
5039: {http://www.rsa.com/rsalabs/rc6/}
5040:
5041: \bibitem{KlSh}
5042: A. Klimov, A. Shamir. `A new class of invertible mappings', in:
5043: {\it Cryptographic Hardware and Embedded Systems 2002}
5044: (B.S.Kaliski Jr.et al., eds.)), Lect. Notes in Comp. Sci.,Vol. 2523,
5045: Springer-Verlag, 2003, pp.470--483.
5046:
5047: \bibitem{KlSh-2}
5048: A. Klimov, A. Shamir.
5049: `Cryptographic applications of $T$-functions', in:
5050: {\it Selected Areas in Cryptography -2003}
5051:
5052: \bibitem{five}
5053: A. Frieze, J. Hastad, R. Kannan, J. C. Lagarias, and A. Shamir. `Reconstructing
5054: truncated integer variables satisfying linear congruences'. {\it SIAM J.
5055: Comput.},{\bf 17}(1988), No 2, pp. 262--280.
5056:
5057: %\bibitem{expGen} Exponential generators
5058:
5059: %\bibitem{Boyar}
5060: %Boyar???
5061:
5062: \bibitem{Pas}
5063: D. Passman. {\it Permutation groups}, W. A. Benjamin, Inc., NY--Amsterdam,
5064: 1968.
5065:
5066: \bibitem{Mars}
5067: G. Marsaglia. `Xorshift RNGs'. {\it Journal of Statistical Software} (electronic),
5068: {\bf 08}(2003), No. 14.
5069: Available from
5070: \href{http://www.jstatsoft.org/v08/i14/xorshift.pdf}%%При включенном hyperref включить
5071: %для создания гиперссылки!!!
5072: {http://www.jstatsoft.org/v08/i14/xorshift.pdf}
5073:
5074:
5075: \bibitem{LidNied}
5076: R. Lidl, H. Niederreiter. {\it Finite Fields}, Addison-Wesley Publ. Co.,
5077: 1983
5078:
5079: \bibitem{MrH}
5080: Marshall Hall, Jr. {\it Combinatorial theory}, Blaisdell Publ. Co., 1967
5081:
5082: \bibitem{GJ}
5083: M. R. Garey, D. S. Johnson. {\it Computers and Intractability: A Guide
5084: to the Theory of $NP$-completeness}. W.H. Freeman and Co., 1979
5085:
5086:
5087: \bibitem{Gold}
5088: O. Goldreich, {\it Foundations of Cryptography. Basic Tools.} Cambridge Univ.
5089: Press, Cambridge, 2001.
5090:
5091: \end{thebibliography}
5092: \end{document}
5093:
5094: