Finite Fields and Their Applications 14 (2008) 410–416

http://www.elsevier.com/locate/ffa

Exponential sums of nonlinear congruentialpseudorandom number generators with Rédei functions

Jaime Gutierrez a,∗, Arne Winterhof b

a Faculty of Sciences, University of Cantabria, E-39071 Santander, Spainb Johann Radon Institute for Computational and Applied Mathematics (RICAM), Austrian Academy of Sciences,

Altenbergerstr. 69, 4040 Linz, Austria

Received 31 October 2006; revised 11 March 2007

Available online 7 April 2007

Communicated by Gary L. Mullen

Dedicated to Peter M. Gruber on the occasion of his 65th birthday

Abstract

The nonlinear congruential method is an attractive alternative to the classical linear congruential methodfor pseudorandom number generation. We give new bounds of exponential sums with sequences of itera-tions of Rédei functions over prime finite fields, which are much stronger than bounds known for generalnonlinear congruential pseudorandom number generators.© 2007 Elsevier Inc. All rights reserved.

Keywords: Exponential sums; Nonlinear congruential generator; Rédei functions; Cryptography

1. Introduction

For an integer q > 1 we denote by Zq the residue ring modulo q and always assume that it isrepresented by the set {0,1, . . . , q − 1}. As usual, we denote by Uq the set of invertible elementsof Zq .

Accordingly, for a prime p, we denote by Fp∼= Zp the field of p elements and as before, we

assume that it is represented by the set {0,1, . . . , p−1}. In particular, sometimes, where obvious,we treat elements of Zq and Fp as integers in the above range.

* Corresponding author.E-mail addresses: jaime.gutierrez@unican.es (J. Gutierrez), arne.winterhof@oeaw.ac.at (A. Winterhof).

1071-5797/$ – see front matter © 2007 Elsevier Inc. All rights reserved.doi:10.1016/j.ffa.2007.03.004

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416 411

Given a polynomial F(X) ∈ Fp[X] of degree at least 2, we define the nonlinear congruentialgenerator (xn) of elements of Fp by the recurrence relation

xn+1 ≡ F(xn) (mod p), n = 0,1, . . . , (1)

with some initial value x0.Recently in [7], a new method has been invented to study the distribution of such sequences

for arbitrary polynomials F(X) by estimating exponential sums, see also recent surveys [6,9,10,13]. Unfortunately, for general polynomials, this method leads to rather weak bounds. How-ever, in the special case of the inversive congruential generator this method leads to a muchstronger bound [8]. For two other special classes of polynomials, namely for monomials andDickson polynomials an alternative approach, producing much stronger bounds has been pro-posed in [1–3].

This article deals with another special case of the nonlinear congruential pseudorandom num-ber generator constructed via Rédei functions defined in the sequel.

Suppose that

r(X) = X2 − αX − β ∈ Fp[X]

is an irreducible quadratic polynomial with the two different roots ξ and ζ = ξp in Fp2 . Thenany polynomial b(X) ∈ Fp2 [X] can uniquely be written in the form b(X) = g(X) + h(X)ξ withg(X),h(X) ∈ Fp[X]. For a positive integer e we consider the elements

(X + ξ)e = ge(X) + he(X)ξ. (2)

Note that ge(X) and he(X) do not depend on the choice of the root ξ of r(X). Evidently, e isthe degree of the polynomial ge(X), and he(X) has degree at most e − 1, where equality holdsif and only if gcd(e,p) = 1 (see also [4, p. 22], [12]). The Rédei function Re(X) of degree e isthen given by

Re(X) = ge(X)

he(X).

The following facts can be found in [11]. The Rédei function Re(X) is a permutation of Fp

if and only if gcd(e,p + 1) = 1, the set of these permutations is a group with respect to thecomposition which is isomorphic to the group of units of Zp+1. In particular for indices m,n

with gcd(m,p + 1) = gcd(n,p + 1) = 1 we have

Rm

(Rn(u)

) = Rmn(u) = Rn

(Rm(u)

)for all u ∈ Fp. (3)

For further background on Rédei functions we refer to [4,11,12].We consider generators (un) defined by

un+1 = Re(un), n � 0, gcd(e,p + 1) = 1,

with a Rédei permutation Re(X) and some initial element u0 ∈ Fp . Note that each mapping overFp can be uniquely represented by a polynomial of degree at most p − 1 and therefore the gen-erator (un) belongs to the class of nonlinear congruential pseudorandom number generators (1).

412 J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

The sequences (un) are purely periodic, the period length T divides ϕ(p + 1), where ϕ denotesEuler’s totient function. For details we refer to [11, Lemma 3.5].

For a ∈ F∗p we define the exponential sum

Se(a) =T −1∑n=0

ep(aun),

where ep(z) = exp(2πiz/p) for z ∈ Fp .We apply the method of [1,3] to obtain an upper bound on sums |Se(a)|. We remark, however,

that several specific properties of Xe do not hold for Re(X) thus our result is slightly weaker thanthat of [1]. Although we follow the same general method of bounding exponential sums as in [3]the details of the crucial step that a certain auxiliary mapping, see (6) below, is not constant ismuch more intricate.

2. Preliminaries

We recall Lemma 2 from [1].

Lemma 1. For any set K ⊆ Ut of cardinality #K = K , any fixed 1 � δ > 0 and any integert � h � tδ there exists an integer r ∈ Ut such that the congruence

rk ≡ y (mod t), k ∈K, 0 � y � h − 1,

has

Lr(h) � Kh

t

solutions (k, y).

Note that each k corresponds at most one solution (k, y).We also need the following bound on exponential sums [5, Theorem 2].

Lemma 2. Let p be a prime and f/g be a rational function over Fp . Let v be the number ofdistinct roots of the polynomial g in the algebraic closure Fp of Fp . Suppose that f/g is notconstant. Then∣∣∣∣ ∑

ξ∈Fp,g(ξ) �=0

ep

(f (ξ)

g(ξ)

)∣∣∣∣ �(max

(deg(f ),deg(g)

) + v∗ − 2)p1/2 + δ,

where v∗ = v and δ = 1 if deg(f ) � deg(g), and v∗ = v + 1 and δ = 0 otherwise.

3. Main result

Let t be the smallest positive integer for which Re(u0) ≡ Rf (u0) (mod p) whenever e ≡ f

(mod t). Note that t | p + 1 and T is the multiplicative order of e modulo t .

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416 413

Theorem 3. For every fixed integer ν � 1,

maxa∈F∗

p

∣∣Se(a)∣∣ = O

(T

1− 2ν+12ν(ν+1) t

12(ν+1) p

ν+24ν(ν+1)

),

where the implied constant depends only on ν.

Proof. We put

h = ⌈t

νν+1 T

−νν+1 p

12(ν+1)

⌉.

Since otherwise the result is trivial we may assume h < p−1/2T < t . Because t � T , for thischoice of h we obtain h � p1/2(ν+1), thus Lemma 1 applies.

Because the sequence (un) is purely periodic, for any k ∈ Zt , we have:

Se(a) =T∑

n=1

ep

(aRen+k (u0)

). (4)

Let K be the subgroup of Ut generated by e. Thus #K = T . We select r as in Lemma 1 andlet L be the subset of K which satisfies the corresponding congruence. We denote L = #L. Inparticular, L � hT/t .

By (4) we have

LSe(a) =T∑

n=1

∑k∈L

ep

(aRen+k (u0)

).

Applying the Hölder inequality, we derive

L2ν∣∣Se(a)

∣∣2ν � T 2ν−1T∑

n=1

∣∣∣∣∑k∈L

ep

(aRen+k (u0)

)∣∣∣∣2ν

. (5)

Let 1 � s � t − 1, be defined by the congruence rs ≡ 1 (mod t). By (3) we obtain

Ren+k (u0) ≡ Ren+krs(u0) ≡ Rrek

(Rsen(u0)

)(mod p).

Obviously, the values of sen, n = 1, . . . , T , are pairwise distinct modulo t . Thus, from the defin-ition of t , we see that the values of Rsen(u0) are pairwise distinct modulo p. Therefore, from (5)we derive

L2ν∣∣Se(a)

∣∣2ν � T 2ν−1∑u∈Fp

∣∣∣∣∑k∈L

ep

(aRrek (u)

)∣∣∣∣2ν

.

Denoting F = {rek | k ∈ L} we deduct

414 J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

L2ν∣∣Se(a)

∣∣2ν � T 2ν−1∑u∈Fp

∣∣∣∣∑f ∈F

ep

(aRf (u)

)∣∣∣∣2ν

� T 2ν−1∑

f1,...,f2ν∈F

∑u∈Fp

ep

(a

ν∑j=1

(Rfj

(u) − Rfν+j(u)

)).

For the case that (fν+1, . . . , f2ν) is a permutation of (f1, . . . , fν), we use the trivial bound forthe inner sum over u, which gives the total contribution O(Lνp).

Otherwise, we claim that the rational function

Ψf1,...,f2ν(X) =

ν∑j=1

(Rfj

(X) − Rfν+j(X)

)(6)

is non-constant. In fact, there exist {k1, . . . , kU } ⊂ {f1, . . . , fν, fν+1, . . . , f2ν} and c1, . . . , cU ∈F

∗p with

1 � k1 < k2 < · · · < kU, 1 < U � 2ν, (7)

satisfying

Ψf1,...,f2ν(X) =

U∑i=1

ci

gki(X)

hki(X)

.

Multiplying with

H(X) =U∏

i=1

hki(X)

we get the polynomial

G(X) =U∑

i=1

cigki(X)

∏j �=i

hkj(X).

With (2) we obtain

(X + ξ)k − (X + ζ )k = (ξ − ζ )hk(X).

Hence, hk(x0) = 0 if and only if

(x0 + ξ

)k

= 1,

x0 + ζ

J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416 415

i.e., (x0 + ξ)/(x0 + ζ ) is a kth root of unity. We may assume kU � f2ν < p. Let ρ be a primitivekU th root of unity in an appropriate extension field of Fp . We note by (7) that ρ �= 1. Then

x0 = ξ − ρζ

ρ − 1

is a root of hkUand hkj

(x0) �= 0 for the remaining hkjthat appear in H(X), and

G(x0) = cUgkU(x0)

∏1�j<U

hkj(x0).

It can easily be seen with (2) that gkU(x0) �= 0, thus G(x0) �= 0 and hence G(X) is not the

zero polynomial. Taking into account that deggf = f , deghf � f − 1 and

maxj=1,...,2ν

fj � maxf ∈F

f < h

we have

Ψf1,...,f2ν(X) = G(X)/H(X), degH,degG < 2νh.

Since G(x0) �= 0 but H(x0) = 0 the rational function G(X)/H(X) cannot be constant andLemma 2 applies. We obtain that the total contribution from such terms is O(L2νhp1/2). Hence

L2ν∣∣Se(a)

∣∣2ν = O(T 2ν−1(Lνp + L2νhp1/2)).

So this leads us to the bound

∣∣Se(a)∣∣2ν = O

(T 2ν−1(L−νp + hp1/2)).

Recalling that L � hT/t , we derive

∣∣Se(a)∣∣2ν = O

(T 2ν−1(tνT −νh−νp + hp1/2)).

Substituting the selected value of h, which balances both terms in the above estimate, we finishthe proof. �Acknowledgments

The first author is partially supported by the research project MTM2004-07086 of the SpanishMinistry of Science and Technology. The second author is supported by the Austrian Academyof Sciences and by the grant P19004-N18 of the Austrian Science Fund (FWF). Parts of the paperwere written during a visit of A.W. to the University of Cantabria. He wishes to thank for thehospitality and financial support. He also wishes to thank the doctors and nurses of the UniversityHospital of Valdecilla.

416 J. Gutierrez, A. Winterhof / Finite Fields and Their Applications 14 (2008) 410–416

References

[1] J.B. Friedlander, J. Hansen, I.E. Shparlinski, On character sums with exponential functions, Mathematika 47 (2000)75–85.

[2] J.B. Friedlander, I.E. Shparlinski, On the distribution of the power generator, Math. Comp. 70 (2001) 1575–1589.[3] D. Gomez-Perez, J. Gutierrez, I.E. Shparlinski, Exponential sums with Dickson polynomials, Finite Fields Appl. 12

(2006) 16–25.[4] R. Lidl, G.L. Mullen, G. Turnwald, Dickson Polynomials, Pitman Monogr. Surveys Pure Appl. Math., Longman,

London, 1993.[5] C.J. Moreno, O. Moreno, Exponential sums and Goppa codes: I, Proc. Amer. Math. Soc. 111 (1991) 523–531.[6] H. Niederreiter, Design and analysis of nonlinear pseudorandom number generators, in: Monte Carlo Simulation,

Balkema, Rotterdam, 2001, pp. 3–9.[7] H. Niederreiter, I.E. Shparlinski, On the distribution and lattice structure of nonlinear congruential pseudorandom

numbers, Finite Fields Appl. 5 (1999) 246–253.[8] H. Niederreiter, I.E. Shparlinski, On the distribution of inversive congruential pseudorandom numbers in parts of

the period, Math. Comp. 70 (2001) 1569–1574.[9] H. Niederreiter, I.E. Shparlinski, Recent advances in the theory of nonlinear pseudorandom number generators, in:

Proc. Conf. on Monte Carlo and Quasi-Monte Carlo Methods, 2000, Springer-Verlag, Berlin, 2002, pp. 86–102.[10] H. Niederreiter, I.E. Shparlinski, Dynamical systems generated by rational functions, in: Lecture Notes in Comput.

Sci., vol. 2643, Springer-Verlag, Berlin, 2003, pp. 6–17.[11] R. Nöbauer, Rédei-Permutationen endlicher Körper, in: J. Czermak, et al. (Eds.), Contributions to General Algebra,

vol. 5, Hölder-Pichler-Tempsky, Vienna, 1987, pp. 235–246.[12] L. Rédei, Über eindeutig umkehrbare Polynome in endlichen Körpern, Acta Sci. Math. 11 (1946) 85–92.[13] A. Topuzoglu, A. Winterhof, Pseudorandom sequences, in: Topics in Geometry, Cryptography and Coding Theory,

Springer-Verlag, Berlin, 2006.