1: %&latex
2: %File: C:\TEX\BIN\WIN32\Addendum.tex Sat Feb 14 11:04:32 2004
3:
4: \documentclass{amsart}
5: %\usepackage[cp1251]{inputenc}%%% Можно отключить, если компилятор понимает
6: %\usepackage[russian, english]{babel}%% В англ./рус. тексте, в англ. отключить
7: %\usepackage[english,russian]{babel}%% В русском тексте
8: %\usepackage{amsmath}
9: \usepackage{amssymb}
10: %\usepackage{hhline}
11: %\usepackage{amsxtra}
12: %\usepackage{amsthm}
13: %\usepackage{theorem}
14: %\usepackage{showkeys} %%Отключить вообще при чистовой распечатке!!! Чтобы отключить
15: %%ссылки на теоремы, добавить аргумент [notref], чтобы отключить ссылки
16: %%на литературу, добавить [notcite]
17: %\usepackage{showtags}
18:
19: %%%%THEOREM-like environment%%%
20: %\theoremstyle{margin}
21: \swapnumbers
22: \theoremstyle{plain}
23: \newtheorem{thm}{Theorem}[section]
24: \newtheorem{lem}[thm]{Lemma}
25: \newtheorem{prop}[thm]{Proposition}
26: \newtheorem{cor}[thm]{Corollary}
27: \newtheorem{OpQu}[thm]{Open question}
28: \newtheorem*{OpQu*}{Open question}
29: \theoremstyle{definition}
30: \newtheorem{defn}[thm]{Definition}
31: \theoremstyle{remark}
32: \newtheorem{note}[thm]{Note}
33: \newtheorem*{note*}{Note}
34: \newtheorem{exmp}[thm]{Example}
35: \newtheorem*{exmp*}{Example}
36:
37: %%%Numbering of eqns%%%
38: \numberwithin{equation}{thm}
39:
40: %%%Operators%%%
41:
42: \DeclareMathOperator{\ord}{ord}
43: \DeclareMathOperator{\wt}{wt}
44: \DeclareMathOperator{\Wt}{Wt}
45: \DeclareMathOperator{\Coef}{Coef}
46: \DeclareMathOperator*{\Limsup}{\overline\lim}
47: \DeclareMathOperator*{\Liminf}{\underline\lim}
48: \DeclareMathOperator*{\Wr}{\wr}
49:
50: \DeclareMathOperator{\XOR}{\scriptstyle{\mathsf{XOR}}}
51: \DeclareMathOperator{\OR}{\scriptstyle{\mathsf {OR}}}
52: \DeclareMathOperator{\AND}{\scriptstyle{\mathsf {AND}}}
53: \DeclareMathOperator{\NEG}{\scriptstyle{\mathsf {NEG}}}
54:
55: %%%New commands%%%
56: \newcommand{\Z}{\mathbb Z}
57: \newcommand{\Q}{\mathbb Q}
58: \newcommand{\N}{\mathbb N}
59: \newcommand{\R}{\mathbb R}
60:
61: %%%Modified commands%%%
62: \renewcommand{\:}{\colon}
63: \renewcommand{\>}{\rightarrow}
64:
65: \usepackage[backref,% %% При включении пакета showkeys отключить hyperref!!!
66: pagebackref,%
67: %pdftex=true,%
68: bookmarks=true,%
69: colorlinks=true]%
70: {hyperref}
71: %
72:
73: % \hypersetup{%
74: % pdfauthor={Vladimir Anashin},
75: % pdftitle={Pseudorandom generation with p-adic ergodic
76: % transformations}
77: % pdfsubject={Pseudorandom generators}
78: % pdfkeywords={pseudorandom, p-adic, ergodic}}
79: % %
80: \begin{document}
81:
82: \hyphenation{appli-cat-ions cryp-to-gra-phy com-ple-xi-ty com-po-si-ti-ons
83: dis-tan-ce ad-di-ti-on in-effect-ive multi-pli-cat-ion con-junct-ion
84: com-pos-it-ion funct-ions Mau-rer ge-ne-ra-li-z-ed equi-pro-b-ab-le
85: coun-ter-de-pen-dent}
86: %
87: %
88: %%CW def's
89: \def\huh{\hbox{\vrule width 2pt height 8pt depth 2pt}}
90: \def\eqnum#1{\eqno (#1)}
91: \def\cwdash{\relbar\joinrel}
92: \def\fnote#1{\footnote}
93:
94:
95: \title[Pseudorandom generators: an addendum] {Pseudorandom Number Generation by $p$-adic Ergodic
96: Transformations: An Addendum}
97: \author{Vladimir Anashin}
98:
99: \address{Faculty of Information Security,
100: Russian State University for the Humanities,\\
101: Kirovogradskaya Str., 25/2, Moscow 113534, Russia}
102:
103: \email{anashin@rsuh.ru, vladimir@anashin.msk.su}
104:
105:
106:
107:
108: \begin{abstract}
109:
110: The paper study counter-dependent pseudorandom number generators
111: based on $m$-variate
112: ($m>1$)
113: ergodic mappings of the space of $2$-adic integers $\Z_2$.
114: % the latter are generators such that their state
115: % transition function (and output function) is being modified
116: % dynamically while working:
117: % For such a generator
118: %i.e., generators defined by the recurrence law
119: % the recurrence sequence
120: % of states satisfies a congruence
121: The sequence of internal states of these generators is defined by the recurrence
122: law
123: $\mathbf x_{i+1}= H^B_i(\mathbf x_i)\bmod{2^n}$, whereas their output
124: sequence is
125: %while its output sequence is of the
126: $\mathbf z_{i}=F^B_i(\mathbf x_i)\mod 2^n$; here
127: $\mathbf x_j, \mathbf z_j$ are $m$-dimensional vectors over $\Z_2$. It is shown how the
128: results obtained
129: for a univariate case could be extended to a multivariate case.
130: \end{abstract}
131: \keywords{Pseudorandom generator, counter-dependent generator, ergodic transformation, equiprobable
132: function, $p$-adic analysis}
133: \subjclass{11K45, 94A60, 68P25, 65C10}
134:
135: \maketitle
136:
137: \section {Introduction}
138: \label{Sec:Intro}
139: In \cite{me:3} we considered counter-dependent generators that produce
140: recurrence sequences $\{u_i\in\Z/2^n\}$ of $n$-bit words according to the
141: following law:
142: %while its output sequence is of the
143: %form
144: $$u_{i}=F_i(w_i);\quad w_{i+1}\equiv f_i(w_i)\pmod{2^n},\quad (i=0,1,2,\ldots).$$
145: In the mentioned paper we restricted ourselves mainly to the case of univariate mappings $f_i$
146: and $F_i$. Trivially, each univariate mapping $\Z/2^{mn}\>\Z/2^{mn}$
147: of the resdue ring modulo $2^{mn}$ could be considered as a mapping
148: $(\Z/2^n)^{(m)}\>(\Z/2^n)^{(m)}$ of a Cartesian power $(\Z/2^n)^{(m)}$
149: of the residue ring $\Z/2^n$, i.e., as an $m$-variate mapping. It turnes
150: out, however, that in some cases it is more effective to implement a univariate
151: mapping in its multivariate form to achieve better performance.
152: For instance, recently in \cite{KlSh:3}
153: there were constructed examples of multivariate $T$-functions with a single
154: cycle (i.e., of compatible ergodic functions, in our terminology, see \cite{me:3}),
155: which are very fast
156: %such that the corresponding computer program demonstrated a very high performance
157: (see theorem 6 of \cite{KlSh:3} and the text thereafter).
158:
159: Below we introduce some special way to derive multivariate compatible
160: ergodic functions from univariate ones (the mentioned mappings of
161: \cite{KlSh:3} originate
162: this way); in fact, we merely represent univariate mappings in a multivariate
163: form. This immediately implies that {\slshape one could apply all the results
164: %from univariate compatible and ergodic functions, and that it is possible
165: %to construct a large class of such multivariate mappings using techniques
166: of \cite{me:3} to estimate important cryptographic characteristics of
167: these multivariate mappings} (e.g.,
168: linear and $2$-adic spans, distribution of $k$-tuples), {\slshape as well as to construct
169: multivariate output functions that improve
170: periods of coordinate sequences} (see \cite{me:3} for definitions). Also,
171: exploiting this multivariate representation and
172: using techniques
173: of wreath products of \cite{me:3}
174: we describe how to lift an arbitrary $m$-variate permutation with a single
175: cycle of $n$-bit
176: words to a permutation with a single cycle of $(n+K)$-bit words, and how
177: to construct counter-dependent generators based on these multivariate mappings.
178:
179: \section{Multivariate ergodic mappings}
180: \label{Mult}
181: Consider a bijection
182: $B(x^0,\ldots,x^{m-1})=X$
183: of the $m$\textsuperscript{th} Cartesian power $(\Z_2)^{(m)}$ of the space
184: $\Z_2$ of $2$-adic integers onto the space $\Z_2$ given by $\delta_k(X)\equiv\delta_{\ell}(x^r)\pmod
185: 2$, where $r\in\{0,1,\ldots,m-1\}$ is the least non-negative residue of
186: $k\in\{0,1,2,\ldots\}$ modulo $m$, $k=\ell\cdot m+r$, $X\in\Z_2$,
187: $(x^0,\ldots,x^{m-1})\in(\Z_2)^{(m)}$, $\delta_j(u)$ is the
188: $j$\textsuperscript{th} bit of a canonical $2$-adic representation of $u\in\Z_2$.
189: \footnote{Loosely speaking, we may
190: think of an element
191: of a Cartesian power $(\Z_2)^{(m)}$ as of a table of $m$ infinite binary
192: rows, to which we put into the correspondence an infinite binary string (that
193: is, an element of $\Z_2$) obtained
194: by reading succesively bits of each column, from top to bottom.}
195: Consider a compatible mapping $H\:\Z_2\>\Z_2$ and a conjugate mapping
196: $$H^B(x^0,\ldots,x^{m-1})=(h^0(x^0,\ldots,x^{m-1}),\ldots,h^{m-1}(x^0,\ldots,x^{m-1}))$$
197: of $(\Z_2)^{(m)}$ to $(\Z_2)^{(m)}$;
198: that is, $H^B(x^0,\ldots,x^{m-1})=B^{-1}(H(B(x^0,\ldots,x^{m-1})))$.
199: %where $H:(\Z_2)^{(m)}\>(\Z_2)^{(m)}$
200: %is an arbitrary $m$-variate compatible mapping.
201: Obviously, the conjugate mapping $H^B$ is compatible and ergodic
202: whenever the mapping $H$ is ergodic. For instance, let $H(X)=1+X$, then
203: %the
204: %$j$\textsuperscript{th} bit $\delta_j(H(X))$ of a canonical $2$-adic representation
205: %
206: %of $H(X)$
207: %\footnote{i.e., the $j$\textsuperscript{th} bit of infinite binary string
208: %that represents
209: %$H(X)$}
210: % \footnote
211: % {We recall that $\delta_j(u)$ is the $j$\textsuperscript{th} bit
212: % in base-$2$ expansion of $u\in\Z_2$, $j=0,1,2,\ldots$, and the space $\Z_2$
213: % of all $2$-adic
214: % integers could be thought of as a set of all infinite sequences
215: % of $0$'s and $1$'s.}
216: %could be expressed as
217: $$\delta_j(H(X))\equiv\delta_j(X)+\prod _{s=0}^{j-1}\delta_s(X)\pmod 2$$
218: (we assume the product over the empty set is $1$); then the conjugate $m$-variate
219: mapping is given by
220: \begin{multline*}
221: h^k(x^0,\ldots,x^{m-1})= x^k\oplus
222: \bigg(\bigg(\bigwedge_{s=0}^{k-1} x^s\bigg)
223: \wedge
224: \bigg(\bigwedge_{r=0}^{m-1}
225: ((x^r+1)\oplus x^r)\bigg)\bigg)=\\
226: x^k\oplus
227: \bigg(\bigg(\bigwedge_{s=0}^{k-1} x^s\bigg)
228: \wedge
229: \bigg(\bigg(
230: \bigg(\bigwedge_{r=0}^{m-1}x^r\bigg)+1\bigg)\oplus
231: \bigg(\bigwedge_{r=0}^{m-1}x^r\bigg)\bigg)\bigg)
232: \end{multline*}
233: for $k=0,1,2,\ldots,m-1$. Here, we recall, $\wedge$ (or $\AND$) is a
234: bitwise conjunction\footnote{i.e.,
235: a bitwise multiplication modulo 2},
236: %of
237: %$n$-bit
238: %words,
239: $\oplus$ (or $\XOR$) is a bitwise addition modulo $2$
240: (we assume that a bitwise conjunction $\wedge$ over the empty set is $-1$,
241: i.e., the string of all $1$'s). One
242: could construct various multivariate compatible ergodic mappings combining
243: this representation with the ergodicity criterion. We recall the latter:
244: \begin{thm}
245: \label{ergBool}
246: {\rm (see \cite[Theorem 3.13]{me:3})}
247: A mapping $T\colon\mathbb Z_2\rightarrow\mathbb Z_2$ is
248: compatible and measure preserving\footnote{That
249: is, $T$ induces a permutation on $\Z/2^n$ for all $n=1,2,3,\ldots$}
250: iff for each $i=0,1,\ldots$ the Boolean function
251: $\tau^T_i=\delta_i(T)$
252: in Boolean variables $\chi_0,\ldots,\chi_{i}$ could be represented as Boolean
253: polynomial of the form
254: $$\tau^T_i(\chi_0,\ldots,\chi_i)=\chi_i+\varphi^T_i(\chi_0,\ldots,\chi_{i-1}),$$
255: where $\varphi^T_i$
256: is a Boolean polynomial. The mapping $T$ is compatible and ergodic iff,
257: additionaly, the Boolean function
258: $\varphi^T_i$ is of odd weight, that is,
259: takes value $1$ exactly at the odd number of points
260: $(\varepsilon_0,\dots,\varepsilon_{i-1})$, where
261: $\varepsilon_j\in\{0,1\}$ for $j=0,1,\ldots,i-1$. The latter takes place if and only
262: if $\varphi^T_0=1$, and the degree of the Boolean polynomial $\varphi^T_i$ for
263: $i\ge 1$ is exactly
264: $i$, that is, $\varphi^T_i$ contains a monomial
265: $\chi_0\cdots\chi_{i-1}$.
266: \end{thm}
267:
268: For instance, theorem \ref{ergBool} implies that an arbitrary univariate
269: compatible and ergodic mapping $T$ gives rise to the $m$-variate compatible
270: and ergodic mapping $T^B=(t^0,\ldots,t^{m-1})$ of the form
271: $$t^k(x^0,\ldots,x^{m-1})= x^k\oplus
272: \bigg(\bigg(\bigwedge_{s=0}^{k-1} x^s\bigg)
273: \wedge
274: \bigg(\bigwedge_{r=0}^{m-1}
275: ((x^r+1)\oplus x^r)\bigg)\bigg)
276: \oplus u^k(x^0,\ldots,x^{m-1}),$$
277: where
278: \begin{equation}
279: \label{eq:EvenPar}
280: \sum_{(x^0,\ldots,x^{m-1})=(0,\ldots,0)}^{(2^r-1,\ldots,2^r-1)}
281: \delta_r(u^k(x^0,\ldots,x^{m-1}))\equiv 0\pmod 2
282: \end{equation}
283: for all $r=0,1,2,\ldots$.\footnote{such mappings $u^k$ are called {\it
284: even parameters}
285: in \cite{KlSh:3}}
286: With the use of these considerations we deduce from theorem
287: \ref{ergBool}
288: %\ref{pr:WP:even}
289: the following
290: \begin{prop}
291: \label{cor:WP:mult}
292: Let $f^j_s\:\Z_2\>\Z_2$ $(s\in\{0,1,\ldots, m-1\}$, $j=0,1,\ldots, m-1)$ be {\textup
293: (}univariate{\textup)}
294: ergodic functions, let
295: $g^j_s\:\Z_2\>\Z_2$ $(s\in\{0,1,\ldots, j-1\}$ , $j=1,2,\ldots, m-1)$ be
296: {\textup(}univariate{\textup)}
297: measure-preserving functions.
298: %, and let $\star\in\{+,\oplus\}$.
299: Then the mapping
300: $$H^B(x^0,\ldots,x^{m-1})=(h^0(x^0,\ldots,x^{m-1}),\ldots,h^{m-1}(x^0,\ldots,x^{m-1}))$$
301: of $(\Z_2)^{(m)}$ onto $(\Z_2)^{(m)}$ such that
302: %which is
303: %defined by
304: \begin{gather*}
305: h^0(x^0,\ldots,x^{m-1})=
306: %x_0\mapsto
307: x^0\oplus
308: \bigg(\bigwedge_{r=0}^{m-1}
309: (f^{0}_r(x^r)\oplus x^r)\bigg)
310: %((f_0^0(x_0)\oplus x_0)\wedge\cdots\wedge
311: %(f_0^{m-1}(x_{m-1})\oplus x_{m-1}))
312: ;\\
313: h^1(x^0,\ldots,x^{m-1})=
314: %x_1\mapsto
315: x^1\oplus\bigg(g^1_0(x^0)\wedge
316: \bigg(\bigwedge_{r=0}^{m-1}
317: (f^{1}_r(x^r)\oplus x^r)\bigg)\bigg)
318: %(f_1^0(x_0)\oplus x_0)\wedge\cdots\wedge
319: %(f_1^{m-1}(x_{m-1})\oplus x_{m-1}))
320: ;\\
321: \ldots \ldots \ldots\ldots\ldots\ldots\ldots\ldots\ldots
322: \ldots\ldots\ldots\ldots\ldots\ldots\ldots\ldots\ldots\ldots\ldots\ldots\ldots\\
323: h^{m-1}(x^0,\ldots,x^{m-1})=
324: %x_{m-1}\mapsto
325: x^{m-1}\oplus\bigg(\bigg(\bigwedge_{s=0}^{m-2} g^{m-1}_s(x^s)\bigg)
326: \wedge
327: %\cdots\wedge
328: %g_{m-1}^{m-1}(x_{m-1})
329: \bigg(\bigwedge_{r=0}^{m-1}
330: (f^{m-1}_r(x^r)\oplus x^r)\bigg)\bigg)
331: %\wedge\cdots\wedge
332: %(f_{m-1}^{m-1}(x_{m-1})\oplus x_{m-1})).
333: \end{gather*}
334: is ergodic. That is, for all $n=1,2,\ldots$ the mapping $H$
335: induces modulo $2^n$ a permutation with a single
336: cycle; hence the length of this cycle is $2^{mn}$.
337: \end{prop}
338: \begin{proof}
339: %[Proof of proposition \ref{cor:WP:mult}]
340: %To prove proposition
341: %\ref{cor:WP:mult}
342: It sufficies to demonstrate that the conjugate mapping
343: $H\:\Z_2\>\Z_2$ is compatible
344: and ergodic.
345: Denote $\chi_k^r=\delta_k(x^r)$; we have to represent $\delta_t(h^s(x^0,\ldots,x^{m-1}))$
346: as a Boolean polynomial in Boolean variables $\chi_k^r$. For $c\in\{0,1,\ldots,
347: m-1\}$ let
348: $$F^c=\bigwedge_{r=0}^{m-1}
349: (f^{c}_r(x^r)\oplus x^r);\qquad G^c= \bigwedge_{s=0}^{c-1} g^{c}_s(x^s), \quad
350: (c>0);\qquad
351: G^0=-1.$$
352: Now, since the functions $g_s^j$ and $f_s^j$ are compatible and,
353: respectively, measure preserving/ergodic, in view of \ref{ergBool} one
354: obtains the following representation of $\delta_k(g_s^j)$ and $\delta_k(f_s^j)$
355: as Boolean polynomials:
356: \begin{gather*}
357: \delta_k(g_s^j(x^s))=\chi_k^s+\varphi_k^j(\chi_0^s,\ldots,\chi_{k-1}^s);\\
358: \delta_0(f_s^j(x^s))=\chi_0^s+1;\\
359: \delta_k(f_s^j(x^s))=\chi_k^s+\chi_0^s\cdots\chi_{k-1}^s+
360: \psi_k^j(\chi_0^s,\ldots,\chi_{k-1}^s)
361: \quad (k>0);
362: %\deg\psi_k^j(\chi_0^j,\ldots,\chi_{k-1}^j)<k, \quad (k>0).
363: \end{gather*}
364: where $\deg\psi_k^j(\chi_0^s,\ldots,\chi_{k-1}^s)<k$.
365: Further, since
366: $$\delta_k(G^c\wedge F^c)\equiv\prod_{s=0}^{c-1}\delta_k(g_s^c(x^s))\cdot
367: \prod_{s=0}^{m-1}(\delta_k(f_s^c(x^s)+\delta_k(x^s))\pmod 2,$$
368: the above equations imply that
369: \begin{gather*}
370: \delta_0(G^0\wedge F^0)=1;\\
371: \delta_0(G^c\wedge F^c)=\chi_0^0\cdots\chi_0^{c-1}+\Phi_0^c, \quad (c>0);\\
372: \delta_k(G^0\wedge F^0)=\chi_0^0\cdots\chi_{k-1}^0\cdots
373: \chi_0^{m-1}\cdots\chi_{k-1}^{m-1}+
374: \Phi_k^0, \quad (k>0)
375: %(\chi_0^0\cdots\chi_{k-1}^0\cdots
376: %\chi_0^{m-1}\cdots\chi_{k-1}^{m-1})
377: ;\\
378: \delta_k(G^c\wedge F^c)=\chi_k^0\cdots\chi_k^{c-1}\cdot
379: \chi_0^0\cdots\chi_{k-1}^0\cdots
380: \chi_0^{m-1}\cdots\chi_{k-1}^{m-1}+\Phi_k^c,\quad (c>0, k>0).
381: \end{gather*}
382: where $\Phi_k^c$ (respectively, $\Phi_k^0$ or $\Phi_0^c$) is a Boolean polynomial in
383: Boolean variables
384: $$\chi_k^0,\dots,\chi_k^{c-1},
385: \chi_0^0,\dots,\chi_{k-1}^0,\dots,
386: \chi_0^{m-1},\dots,\chi_{k-1}^{m-1}$$
387: (respectively, in
388: $\chi_0^0,\dots,\chi_{k-1}^0,\dots,
389: \chi_0^{m-1},\dots,\chi_{k-1}^{m-1}$ or $\chi_0^0,\dots,\chi^{c-1}_0$),
390: and $\deg\Phi_k^c<mk+c$.
391: Finally,
392: $
393: \delta_k(h^c(x^0,\ldots,x^{m-1}))=
394: %\begin{cases}
395: \chi_k^c+\delta_k(G_k^c\wedge F_k^c),
396: %&\text{if $\star=\oplus$;}\\
397: %\chi_k^c+\delta_k(G_k^c\wedge F_k^c)+\Psi_k^c, &\text{if $\star=+$,}
398: %\end{cases}
399: $
400: and the result follows in view of \ref{ergBool}.
401: \end{proof}
402: \begin{note}
403: \label{note:Mult:oplus}
404: Of course, the assertion of the proposition remains true for the mappings
405: $\hat h^s=h^s\oplus u^s$, $(s=0,1,\ldots,m-1)$, where $u^s$ is an arbitrary
406: mapping that satisfies \eqref{eq:EvenPar}, since these mappings $u^s$ add
407: summands of degree $<mk+s$ to each Boolean polynomial
408: $\delta_k(h^s(x^0,\ldots,x^{m-1}))$, see the proof of \ref{cor:WP:mult}.
409: \end{note}
410: With this note we can deduce some consequences of proposition \ref{cor:WP:mult}.
411: \begin{cor}
412: \label{cor:Mult:KS}
413: {\rm \cite[Theorem 6 and Lemma 1]{KlSh:3}}
414: The $m$-variate mapping defined by
415: $$h^s(x^0,\ldots,x^{m-1})=x^s\oplus((h(x^0\wedge\cdots\wedge x^{m-1})\oplus
416: (x^0\wedge\cdots\wedge x^{m-1}))\wedge x^0\wedge\cdots\wedge x^{s-1}),$$
417: $s=0,1,\ldots,m-1$, is compatible and ergodic whenever $h$ is a univarite
418: compatible and ergodic function.
419: \end{cor}
420: \begin{proof} Just note that both
421: $\delta_k\big(\bigwedge_{t=0}^{m-1}(h(x^t)\oplus x^t)\big)$ and
422: $\delta_k\big(h\big(\bigwedge_{t=0}^{m-1}x^t\big)\oplus
423: \big(\bigwedge_{t=0}^{m-1}x^t\big)\big)$ are Boolean polynomials of the
424: same degree $mk+s$.
425: \end{proof}
426: \begin{cor}
427: \label{cor:Mult:plus}
428: For $m>1$ under conditions of \ref{cor:WP:mult} the following
429: $m$-variate mapping
430: $$
431: h^{t}(x^0,\ldots,x^{m-1})=
432: %x_{t}\mapsto
433: x^{t}+\bigg(\bigg(\bigwedge_{s=0}^{t-1} g^{t}_s(x^s)\bigg)
434: \wedge
435: \bigg(\bigwedge_{r=0}^{m-1}
436: (f^{t}_r(x^r)\oplus x^r)\bigg)\bigg),
437: $$
438: $t=0,1,\ldots, m-1$, is compatible and ergodic.
439: \end{cor}
440: \begin{proof} Integer addition $+$ adds carry from the $(mk+c)$\textsuperscript{th}
441: bit to $(m(k+1)+c)$\textsuperscript{th} bit of the coniugate mapping $H:\Z_2\>\Z_2$;
442: the carry is a Boolean polynomial in variables
443: $$\chi_k^c,\chi_k^0,\dots,\chi_k^{c-1},
444: \chi_0^0,\dots,\chi_{k-1}^0,\dots,
445: \chi_0^{m-1},\dots,\chi_{k-1}^{m-1},$$
446: hence, integer addition just adds a Boolean polynomial in $km+c+1$ variables to the Boolean polynomial
447: $\delta_{k+1}(h^c(x^0,\ldots,x^{m-1})$ in $(k+1)m+c$ variables. So this
448: extra summand is of degree at most $km+c+1<(k+1)m+c$, see the proof of
449: proposition \ref{cor:WP:mult}.
450: \end{proof}
451: \begin{note}
452: \label{note:Mult:plus}
453: Again, the corollary remains true for the mapping
454: $\hat h^s=h^s+u^s$, $(s=0,1,\ldots,m-1)$, where $u^s$ is an arbitrary
455: mapping that satisfies \eqref{eq:EvenPar}.
456: \end{note}
457:
458:
459: We recall
460: that
461: according to \cite[Proposition 3.10]{me:3}, a compatible univariate function
462: $g\:\Z_2\>\Z_2$ (resp., $f\:\Z_2\>\Z_2$) preserves measure
463: (resp., is ergodic)
464: iff
465: %Each compatible and ergodic
466: %\textup {(}respectively each compatible
467: %and measure preserving \textup {)}
468: %mapping $z\mapsto f(z)\ (z\in\mathbb Z_2)$
469: it could be represented as
470: $g(x)=d+x+2\cdot v(x)$ \textup {(}respectively as
471: $f(x)=1+x+2\cdot(v(x+1)-v(x))$\textup {)} for suitable $d\in\mathbb Z_2$
472: and compatible
473: $v\colon\mathbb
474: Z_2\rightarrow \mathbb Z_2$. In other words, one can assume $v$ to be an arbitrary
475: (e.g., key-dependent)
476: composition of arithmetic operations (such as addition, multiplication,
477: subtraction, etc.) and bitwise logical operations (such as $\XOR$, $\AND$,
478: $\OR$, etc.); see \cite{me:3} for details. Thus, to obtain a cycle of length,
479: say, $2^{256}$ applying the above results, one could use $8$-variate mappings and work with $32$-bit
480: words, which are standard for most contemporary computers.
481:
482: We note, however, that similarly to a univariate case, only senior bits
483: of output sequence achieve maximum period length: To
484: be more exact, if $x^j_i$ is the value of the $j$\textsuperscript{th} variable
485: at the $i$\textsuperscript{th} step,
486: $(x^0_{i+1},\ldots,x^{m-1}_{i+1})=H^B(x^0_i,\ldots,x^{m-1}_i)$, then the
487: period length of the bit sequence $\{\delta_s(x^j_i)\:i=0,1,2,\ldots\}$ is
488: $2^{ms+j+1}$,
489: for
490: $s\in\{0,1,\ldots\}$,
491: $j\in\{0,1,\ldots,m-1\}$. This could be improved by the use of multivariate
492: output functions in a manner of \cite[Proposition 4.13]{me:3}, namely:
493: \begin{prop}
494: \label{pr:OutMult}
495: Let $H^B$ and$F^B$ be $m$-variate ergodic mappings that satisfy conditions
496: of proposition \ref{cor:WP:mult}, and let $\pi\:\Z/n\>\Z/n$ be an arbitrary
497: permutation of bits of $n$-bit word $z\in\Z/2^n$ such that $\delta_0(\pi(z))=\delta_{n-1}(z)$
498: {\rm (e.g., $\pi$ could be a bit order reversing permutation, or a $1$-bit
499: cyclic
500: shift towards senior bits)}. Consider a recurrence sequence $\mathcal Y=\{\mathbf
501: y_i\:i=0,1,2\ldots\}$ over $(\Z/2^n)^{(m)}$
502: defined by the laws
503: $$\mathbf x_{i+1}=H^B(\mathbf x_i)\bmod 2^n;\quad
504: \mathbf y_i=F^B(\pi(x^{m-1}_i),x^0_i,\ldots,x^{m-2}_i)\bmod 2^n,$$
505: where $\mathbf x_j=(x_j^0,\ldots,x_j^{m-1}),
506: \mathbf y_j=(y_j^0,\ldots,y_j^{m-1})\in(\Z/2^n)^{(m)}$. Then the
507: output sequence $\mathcal Y$ is purely periodic, its period
508: length is exactly $2^{nm}$, each element of $(\Z/2^n)^{(m)}$ occurs at the
509: period exactly once, and the period length of each coordinate sequence
510: $\delta_k(\mathcal Y^s)=\{\delta_k(y_i^s)\:i=0,1,2,\ldots\}$
511: is exactly $2^{nm}$. \footnote{Recall that according to \cite{me:3} the term
512: ``exactly"
513: within this context means that the purely periodic binary sequence $\delta_k(\mathcal Y^s)$
514: has no periods of lengths less than $2^{nm}$.}
515: \end{prop}
516: \begin{proof} Immediately follows by application of \cite[Proposition 4.13]{me:3}
517: to (univariate) conjugate mappings $H$ and $F$; we just note that Proposition
518: 4.13 of \cite{me:3}, as it easily follows from its proof,
519: holds for arbitrary permutation $\pi$ that satisfies conditions
520: of our proposition \ref{pr:OutMult}.
521: \end{proof}
522: \begin{note}
523: As it follows from the proof of \cite[Proposition 4.13]{me:3}, to provide maximum
524: period length of all coordinate sequences of output sequence
525: it is sufficient only to apply output function in such a way, that
526: the most significant bit of a state transition function substitutes for
527: the
528: least significant bit of argument of the output function. Thus, the proposition
529: \ref{pr:OutMult} remains true if one
530: permutes variables $x^0,\ldots,x^{m-2}$ of the function $F^B$ in arbitrary
531: order, or permutes bits in these varibles, or apply arbitrary bijections
532: to these variables, etc.
533: \end{note}
534:
535: It turnes out that with the use of techniques of wreath products of \cite{me:3}
536: it is possible to ``lift" an arbitrary permutation on $(\Z/2^n)^{(m)}$
537: with a single cycle
538: to $(\Z_2)^{(m)}$,
539: %then to $(\Z/2^{n+2})^{(m)}$, etc.,
540: i.e. to obtain
541: ``really multivariate" permutations with a single cycle (in a somewhat
542: ``univariate manner", of course).
543: Recall the following theorem, which is a generalization of theorem \ref{ergBool}:
544: \begin{thm}
545: \label{pr:WP:even}
546: {\rm (\cite[4.3 and 4.4; or 4.10]{me:3})}
547: Let $T\colon\mathbb Z/2^M\rightarrow\mathbb Z/2^M$, $M\ge 1$,
548: be an arbitrary permutation
549: with a single cycle, and
550: let the mappings $H_z(\cdot)\:\Z_2\>\Z_2$, $(z\in\Z/2^M)$ satisfy
551: %to make \eqref{eq:WP-even}
552: %valid
553: the following conditions:
554: \begin{enumerate}
555: \item $\delta_i(H_z(x))\equiv \delta_i(x)+\rho_i(z;x)\pmod 2\ (i=0,1,2\ldots),$
556: where $\rho_i$ are Boolean functions in Boolean variables
557: $\delta_r(z)$, $\delta_s(x)$
558: $(r\in\{0,1,\ldots,M-1\}$, $s\in\{0,1,\ldots, i-1\})$, and $\rho_0(z;x)=\rho_0(z)$ does
559: not depend on $x$;
560: \item $\sum_{z=0}^{2^M-1}\rho_0(z)\equiv 1\pmod 2;$
561: \item $\sum_{z=0}^{2^M-1}\sum_{x=0}^{2^i-1}\rho_i(z;x)\equiv 1\pmod 2$,
562: $i=1,2,\ldots$
563: %where the
564: %all are of odd weight.
565: \end{enumerate}
566: Then the mapping
567: $$W(x)=T(x\bmod{2^M})+2^M\cdot H_{x\bmod{2^M}}
568: \bigg(\Big\lfloor\frac{x}{2^M}\Big\rfloor\bigg)$$
569: %this mapping is asypmtotically compatible and asymptotically ergodic
570: %${\rm (i.e., $a\equiv b\pmod{2^k}\Rightarrow W(a)\equiv W(b)\pmod{2^k}$ and
571: %$W$
572: is transitive modulo $2^k$
573: {\rm(that is, induces a permutation with a single cycle on the residue ring
574: $\Z/2^k$ modulo $2^k$)}
575: %for all
576: %sufficiently large $k$; in fact,
577: for all $k\ge M$.
578: \end{thm}
579: From here we deduce the following
580: \begin{prop}
581: \label{pr:Lift}
582: Let $T\:(\Z/2^n)^{(m)}\>(\Z/2^n)^{(m)}$ be an arbitrary {\rm (not necessarily
583: compatible)} $m$-variate mapping
584: with a single cycle, let $H^B\:(\Z_2)^{(m)}\>(\Z_2)^{(m)}$ be any $m$-variate
585: compatible ergodic mapping mentioned above {\rm (see \ref{cor:WP:mult},
586: \ref{note:Mult:oplus}, \ref{cor:Mult:KS}, \ref{cor:Mult:plus}, \ref{note:Mult:plus})}.
587: Then the $m$-variate mapping $W^B(\mathbf x)=T(\mathbf x\bmod 2^n)+
588: (H^B(\mathbf x)\wedge((-2^n)^{(m)}))$ of $(\Z_2)^{(m)}$ onto
589: $(\Z_2)^{(m)}$
590: %is asymptotically compatible and asymptotically ergodic; that is, $W^B$
591: induces
592: a permutation with a single cycle modulo $2^N$ for all $N\ge n$.
593: \end{prop}
594: Recall that a $2$-adic representation of $-2^n$ is an infinite binary string such
595: that first $n$ bits of it are $0$, and the rest are $1$. In other words,
596: $H^B(\mathbf x)\wedge((-2^n)^{(m)})$ takes
597: $\mathbf x=(x^0,\ldots,x^{m-1})$ to
598: $(h^0(\mathbf x)\wedge(-2^n),\ldots,h^{m-1}(\mathbf x)\wedge(-2^n))$, thus
599: sending to $0$ the first $n$ low order bits,
600: whereas
601: $\mathbf x\bmod 2^n=(x^0\bmod 2^n,\ldots,x^{m-1}\bmod 2^n)$ sends to $0$
602: all senior order bits, starting with the $n$\textsuperscript{th} bit
603: (we start enumerate bits with $0$).
604: \begin{proof}[Proof of proposition \ref{pr:Lift}] The conjugate mapping
605: $W$ satisfies \ref{pr:WP:even} for $M=nm$ since all Boolean polynomials
606: $\delta_j(h^s(\mathbf x))$ are of odd weight, see the proof of \ref{cor:WP:mult}.
607: \end{proof}
608:
609: Concluding the section we just note that it is clear now how to construct counter-dependent
610: generators with the use of
611: the above multivariate ergodic mappings. Take, for instance, $M>1$ odd,
612: and take a finite sequence\footnote{which may be stored in memory, or may be generated
613: on the fly while implementing the corresponding generator}
614: $$\{\mathbf c_j=(c_j^0,\ldots, c_j^{M-1})\:j=0,1,\ldots,M-1\}$$
615: %and $\{\mathbf
616: %d_j\:j=0,1,\ldots,M-1\}$
617: of $m$-dimensional vectors over $\Z/2^n$
618: %a ring $\Z_2$ of $2$-adic integers
619: such that the sequence of its first coordinates
620: satisfy conditions of proposition 4.3 of \cite{me:3};
621: that is, $\sum_{j=0}^{M-1}c_j^0
622: %\equiv\sum_{j=0}^{M-1}d_j^0
623: \equiv 0\pmod 2$,
624: and the sequence $\{c_{j\bmod M}^0\bmod 2\:j=0,1,\ldots\}$
625: %and
626: %$\{d_{j\bmod M}^0\bmod 2\:j=0,1,\ldots\}$ are
627: is purely periodic of period length
628: exactly $M$. Then take arbitrary $m$-variate ergodic mappings $H_j^B$ and
629: $F_j^B$, $j=0,1,\ldots,M-1$ described above and consider recurrence
630: sequences defined by the laws
631: %$$\mathbf u_{i}=d_{i\bmod M}\oplus F_i(x_i);\quad w_{i+1}\equiv f_i(w_i)\pmod{2^n},\quad (i=0,1,2,\ldots).$$
632: $$
633: \begin{array}{rcl}
634: \mathbf x_{i+1}&=&(\mathbf c_{i\bmod M}\oplus H^B_{i\bmod M}(\mathbf x_i))\bmod 2^n;\\
635: \mathbf y_i&=&(\mathbf F^B_{i\bmod M}(\pi(x^{m-1}_i),x^0_i,\ldots,x^{m-2}_i))\bmod 2^n,\\
636: \end{array}
637: $$
638: for $i=0,1,2,\ldots$, where $\pi$ satisfies conditions of \ref{pr:OutMult}.
639: Then the sequence of internal states $\{\mathbf x_i\}$ is purely periodic
640: of period length exactly $M\cdot 2^{nm}$, and each $m$-dimensional vector
641: over $\Z/2^n$ occurs at the period exactly $M$ times. The output sequence
642: $\mathcal Y=\{\mathbf y_i\}$ is also purely periodic of period length exactly $M\cdot 2^{nm}$,
643: and each $m$-dimensional vector
644: over $\Z/2^n$ occurs at the period exactly $M$ times; moreover,
645: the period length of each coordinate sequence
646: $\delta_k(\mathcal Y^s)=\{\delta_k(y_i^s)\:i=0,1,2,\ldots\}$
647: is a multiple of $2^{nm}$, which
648: %(to be more exact, it
649: is not less than $2^{nm}$ and does not exceed $M\cdot 2^{nm}$. This conclusion
650: follows immediately by application of \cite[Propositions 4.6 and 4.13]{me:3}
651: to conjugate mappings $H_j$ and $F_j$. The other counter-dependent generators (for $M=2^k$
652: or arbitrary $M$) based on \cite[4.3, 4.4, 4.6 and 4.10]{me:3} could be constructed
653: by the analogy.
654:
655: \section{Skew shifts and wreath products: a discussion}
656: \label{Skew}
657: The aim of this section is to make more transparent the core mapping underlying the
658: constructions
659: introduced in \cite{me:3}, \cite{me:2}, \cite{me:1}, \cite{me:conf}, \cite{KlSh:1},
660: \cite{KlSh:2}, \cite{KlSh:3}, as well as \cite{me:ex} and even \cite{me:gr}.
661: This mapping is wreath product\footnote{this notion is more common for group
662: theory} of permutations; wreath product of permutations
663: %were used in \cite{me:3} to construct counter-dependent
664: %generators. Wreath product of permutations
665: is a special
666: case of a skew product transformation\footnote{the latter notion is well known in dynamical systems
667: and ergodic theory}. We recall the most abstract definiton:
668: \begin{defn} Given two non-empty sets $X$, $Y$, a mapping $h\:X\>X$,
669: %a non-empty set of mappings $\mathcal H$ of $Y$ into $Y$,
670: and a mapping
671: $H\:X\>Y^Y$, where $Y^Y$ \footnote{i.e., a Cartesian power of $Y$} is a set of
672: all mappings of $Y$ into
673: $Y$. Denote the action of $H$ as $(H(x))(y)=H_x(y)$
674: for $x\in X, y\in Y$. Then the {\it skew product transformation} $H\Wr h $ is a mapping of
675: a direct product
676: $X\times Y$ into itself such that $(H\Wr h)(x,y)=(h(x),H_x(y))$.
677: \end{defn}
678: It is obvious that if $h$ is a bijection and all $H_x$, $x\in X$ are bijections,
679: then $H\wr h$ is a bijection. For instance, if $\star$ is a quasigroup
680: operation on $Y$ \footnote{that is, for all $a,b\in Y$ both equations $y\star a=b$
681: and $a\star y=b$ have unique
682: solutions in $y$}, $F\:X\>Y$ is an arbitrary mapping and $H_x(y)=y\star
683: F(x)$, then $H\wr h$ is bijective whenever $h$ is bijective. A classical
684: example in ergodic theory is skew shift on torus, which takes $(x,y)\in
685: (\mathbb T)^{(2)}$ to $(x\boxplus \gamma, y\boxplus \alpha(x))$, where
686: $(\mathbb T)^{(2)}$ is a $2$-dimensional torus (i.e., a Cartesian product
687: of a real interval $[0,1]$ onto itself); $\gamma,\alpha(x)\in[0,1]$, and
688: $\boxplus $ is addition modulo $1$ of reals of $[0,1]$.
689:
690: Another example
691: of imporance to cryptography is an $i$\textsuperscript{th}
692: round permutation $R_i(k)$ of a Feistel network: This permutation
693: takes $(x,y)\in(\Z/2^n)^{(2)}$ to $(y\oplus f_i(k,x), x)$ (with
694: $k$ being a key). Obviously, $R_i(k)$ is a composition of a skew shift $(x,y)\mapsto
695: (x,y\oplus f_i(k,x))$ and a permutation $\tau(x,y)=(y,x)$, which merely
696: changes positions of two concatented $n$-bit subwords in a $2n$-bit word.
697: By the way, we used a construction somewhat
698: resembling this permutation $R_i(k)$ in \ref{pr:OutMult}: In fact,
699: %as we noted in
700: %\cite{me:3},
701: from \ref{ergBool}
702: it is clear that a compatible mapping (or a $T$-function, in
703: terminology of \cite{KlSh:1}) of $\Z/2^N$ into $\Z/2^N$
704: is
705: %a skew shift
706: %on $N$-dimensional discrete torus $(\Z/2)^{(N)}$, that is,
707: a composition
708: of
709: $N$ skew product transformations of $\Z/2$, and that a measure preserving
710: mapping (or invertible $T$-function) is a skew shift on $N$-dimensional
711: discrete torus $(\Z/2)^{(N)}$. The skew products seems to become popular
712: in cryptography: Boaz Tsaban noted that a construction
713: of a counter-dependent generator of \cite{ShTs} is just an ergodic-theoretic
714: skew-product of a counter (or any automata) with the given automata.
715: In particular, if the counter is replaced by any ergodic transformation,
716: then the resulting cipher will be ergodic, \cite{Ts}. All these observations
717: lead to a suggestion that there are tight connections between ergodic theory
718: and cryptography. In fact, in this pper we use the notions of ergodicity and measure
719: preservation just because the corresponding mappings are ergodic or measure-preserving
720: in exact sence of ergodic theory.
721:
722: Of course, the most intriguing is a question, which naturally arises in this connection,
723: whether an ergodic theory could give something to prove (or to give strong
724: evidence of) cryptographic security
725: of a corresponding schemes. Might be, it is too early to put such a question
726: now, yet note that one of one-way candidates, namely, DES with a fixed
727: message, is a composition of skew shifts with a permutation $\tau$. Note
728: that in a corresponding construction \cite{LuRa} DES is assumed to be a family of
729: pseudorandom functions. In \cite{me:3} we conjectured that a mapping $F\:\Z/2^n\>\Z/2^k$
730: defined by $k$ randomly and independently choosen Boolean polynomials (with
731: polynomially restricted number of monomials) in
732: $n$ variables is a one-way function, and gave some evidence that
733: among the
734: generators we studied there may exist ones that are provably strong
735: against a known plaintext attack. A stronger assumption that $F$ is
736: a pseudorandom function\footnote{to be more exact, assuming that it is
737: possible to construct with these mappings $F$ a family of pseudorandom
738: functions; the corresponding construction, which is under study now,
739: is based on skew shifts}(how plausible this asumption is?) may lead to
740: a proof that a corresponding generator is pseudorandom. For instance,
741: forming of output sequence $\{y_i\}$ (see \cite[Section 6]{me:3}
742: for notations) a sequence
743: $y_{0}, y_{0}\oplus y_1,\ldots,y_{m-2}\oplus y_{m-1},\ldots$
744: with probability $1-\epsilon$ one obtains that\footnote{we are using an opportunity
745: here to fix a misprint in \cite{me:3}}
746: $$y_{0}=F(z), y_{0}\oplus y_1=F(z+1),\ldots,y_{m-2}\oplus y_{m-1}=F(z+m-1),\ldots$$
747: Yet under assumptions that are made, this sequence, as well as the output
748: sequence must be pseudorandom.
749:
750: More ``ergodic-theoretic common features" could be seen while analysing proofs
751: of corresponding reslts. The mappings defined by compositions of arithmetic
752: and bitwise logical operations turnes out to be continuous on $\Z_2$, and
753: moreover, rather close to uniformly differentiable mappings, see \cite{me:1},
754: \cite{me:2}, \cite{me:3}, \cite{me:conf}. To study certain important
755: cryptographic properties of these mapping we approximate them (with respect
756: to a $2$-adic distance) by uniformly differentiable functions; we have
757: to calculate derivatives of these functions to check whether a given mapping
758: is a permutation, or whether it is equiprobable. On the other hand, to
759: study similar questions for other algebraic systems, e.g., discrete groups,
760: we have also to study derivatives, namely, Fox derivatives of mappings
761: of groups, see \cite{me:gr}, \cite{me:ex} for details. Thus, we have to
762: use ``continuous" techniques to study ``discrete" problems. We could continue
763: such observations. At our view,
764: all this is more than a mere analogy between ergodic-theoretic and cryptographical
765: constructions.
766:
767:
768:
769: \begin{thebibliography}{99}
770:
771: \bibitem{me:3}
772: V. Anashin, \emph{Pseudorandom Number Generation by $p$-adic Ergodic
773: Transformations}, 2004. A preprint available from
774: \href{http://arXiv.org/abs/cs.CR/0401030}%%При включенном hyperref включить
775: %для создания гиперссылки!!!
776: {http://arXiv.org/abs/cs.CR/0401030}
777:
778: \bibitem{me:2}
779: V. S. Anashin.
780: `Uniformly distributed sequences of $p$-adic integers, II',
781: %V.S.Anashin,
782: %Uniformly distributed sequences of p-adic integers.
783: (Russian)
784: {\it Diskret. Mat.} {\bf 14} (2002), no. 4, 3--64;
785: English translation in {\it Discrete Math. Appl.} {\bf 12} (2002), no. 6,
786: 527--590.
787: A preprint in English available from
788: \href{http://arXiv.org/math.NT/0209407}%%При включенном hyperref включить
789: %для создания гиперссылки!!!
790: {http://arXiv.org/math.NT/0209407}
791:
792: \bibitem{me:1}
793: V. S. Anashin
794: `Uniformly distributed sequences over $p$-adic integers',
795: {\it Mat. Zametki\/}, {\bf 55} (1994), No 2, 3--46
796: (in Russian; English transl. in
797: {\it Mathematical Notes}, {\bf 55},(1994), No 2,
798: 109--133.)
799:
800: \bibitem{me:conf}
801: Anashin V. S.
802: `Uniformly distributed sequences over $p$-adic integers',
803: {\it Number theoretic and algebraic methods in computer science.
804: Proceedings of the Int'l Conference (Moscow, June--July, 1993)\/}
805: (A. J. van der Poorten, I. Shparlinsky and H. G. Zimmer, eds.),
806: World Scientific, 1995, 1--18.
807:
808: \bibitem{me:ex}
809: V. S. Anashin
810: \emph{Uniformly distributed sequences in computer algebra, or how to construct
811: program generators of random numbers},
812: {\it J. Math. Sci.\/} (Plenum Publishing Corp.,
813: New York),
814: {\bf 89} (1998),
815: No 4,
816: 1355 -- 1390.
817:
818: \bibitem{me:gr}
819: V. S. Anashin, \emph{Solvable groups with operators and commutative rings
820: admitting transitive polynomials}, Algebra and Logic {\bf 21}(1982), 627--646
821:
822:
823: \bibitem{KlSh:3}
824: A. Klimov and A. Shamir, \emph{New Cryptographic Primitives Based on Multiword
825: $T$-functions}, 2004, (to appear).
826:
827: \bibitem{KlSh:1}
828: A. Klimov, A. Shamir. `A new class of invertible mappings', in:
829: {\it Cryptographic Hardware and Embedded Systems 2002}
830: (B.S.Kaliski Jr.et al., eds.)), Lect. Notes in Comp. Sci.,Vol. 2523,
831: Springer-Verlag, 2003, pp.470--483.
832:
833: \bibitem{KlSh:2}
834: A. Klimov, A. Shamir.
835: `Cryptographic applications of $T$-functions', in:
836: {\it Selected Areas in Cryptography -2003}
837:
838: \bibitem{LuRa}
839: M. Luby, C. Rackoff. \emph{A study of password sequrity}, In:
840: Proc. Crypto'87, LNCS {\bf 293}, Springer-Verlag, 1998., pp. 392--397
841:
842: \bibitem{ShTs}
843: A. Shamir, B. Tsaban.
844: \emph{Guaranteeing the diversity of number generators},
845: Information and Computation \textbf{171} (2001),
846: 350--363.
847: %{\it Guaranteeing the diversity of number generators.\/}
848: Available from
849: \href{http: //arXiv.org/ abs/ cs.CR/ 0112014}%%При включенном hyperref включить
850: %для создания гиперссылки!!!
851: {http: //arXiv.org/ abs/ cs.CR/ 0112014}
852:
853: \bibitem{Ts}
854: B. Tsaban, private communication.
855:
856:
857:
858: \end{thebibliography}
859:
860: \end{document}
861:
862:
863: