m-Sequences with Good Cross Correlationconf.fme.vutbr.cz/cecc09/lectures/kholosha.pdf · 3/25...
25
m
Transcript of m-Sequences with Good Cross Correlationconf.fme.vutbr.cz/cecc09/lectures/kholosha.pdf · 3/25...
1/25
m-Sequenceswith Good Cross Correlation
for Communications and Cryptography
Tor Helleseth and Alexander Kholosha
9th Central European Conference on Cryptography:T�rebí�c, June 26, 2009
2/25
Outline
• m-sequences and their properties
• Correlation of sequences
• Cross correlation ofm-sequences and its properties
• Application of sequences with good correlation properties
• Orthogonal sequences and their use• m-Sequences of di�erent lengths and their cross correlation
3/25
m-Sequences and their Properties
Linear recurrence st+m + cm−1st+m−1 + · · · + c0st = 0.
Characteristic polynomial f (x) = xm + cm−1xm−1 + · · · + c0.
Select f (x) such that
• f (x) is irreducible of degreem so f (x) divides x2m−1 − 1
• gcd(f (x), xr − 1) = 1 for any r = {1, . . . , 2m − 1} (primitivenesscriterion)
Then f (x) generates anm-sequence of period 2m − 1.
Properties ofm-sequences
• Period p = 2m − 1
• Balancedness (except for a missing 0) and run property
• Any decimation by d with gcd(d, 2m − 1) = 1 gives anm-sequence andallm-sequences of this period can be obtained this way
• {st} + {st+τ} = {st+γ} and {s2t} = {st+δ}
4/25
Correlation of Sequences
{at} and {bt} � binary sequences of length p
Ca,b(τ ) =p−1Xt=0
(−1)at+bt+τ and Aa(τ ) =p−1Xt=0
(−1)at+at+τ for 0 ≤ τ < p
are respectively cross-correlation and auto-correlation functions of shift τ .
If {st} is anm-sequence of period p = 2m − 1 then
As(τ ) =
8<: 2m − 1, if τ ≡ 0 (mod p)−1, otherwise
since As(τ ) =Pp−1t=0 (−1)st+st+τ =
Pp−1t=0 (−1)st+γ = −1 for τ 6= 0 (mod p).
Typical problems
• Find the distribution of cross- or auto-correlation values for all shifts.
• Find the exact value of these functions for each shift.
5/25
Cross Correlation ofm-Sequences, Properties
{st} binarym-sequence of length p = 2m − 1,
{sdt} decimatedm-sequence when gcd(d, p) = 1.
Cd(τ ) =p−1Xt=0
(−1)st+τ+sdt for 0 ≤ τ < p
is the cross correlation between twom-sequences.
• Cd(τ ) is 2-valued if and only if d ≡ 2i (mod p), at least 3-valued other-wise;
• Cd(τ ) and Cd(τ′) have the same distribution when dd′ ≡ 1 (mod p) or
d′ ≡ 2id (mod p);
• Pτ(Cd(τ ) + 1) = 2m;
• Pτ(Cd(τ ) + 1)2 = 22m;
• Pτ Cd(τ )k = −(2m−1)k−1+2(−1)k−1+ak22m, where ak is the number of
solutions inGF(2m)∗ of x1+· · ·+xk−1+1 = 0 and xd1+· · ·+xdk−1+1 = 0.
6/25
Binary 3-Valued Cross Correlation
Cd(τ ) takes on exactly three values in the following cases:
• Gold: d = 2k + 1, wherem/ gcd(m, k) is odd;
• Kasami: d = 22k − 2k + 1, wherem/ gcd(m, k) is odd;
• Welch's conjecture: (Canteaut, Charpin, Dobbertin) d = 2k + 3, wherem = 2k + 1;
• Niho's conjecture: (Dobbertin, Charpin, Hollman, Xiang)
d =
8<: 2(m−1)/2 + 2(m−1)/4 − 1, ifm ≡ 1 (mod 4)2(m−1)/2 + 2(3m−1)/4 − 1, ifm ≡ 3 (mod 4);
• Cusick and Dobbertin: m ≡ 2 (mod 4)
d = 2m/2 + 2(m+2)/4 + 1 and d = 2(m+2)/2 + 3 .
7/25
Application of Sequences with Good Correlation
• Synchronization• Radar and sonar applications• Generation of pseudo random sequences
• Stream ciphers in cryptography
• CDMA applications for mobile and wireless (all standards for 3G tele-phony are based on CDMA)
• many other
8/25
Orthogonal Sequences and their Use
Take anm-sequence 1001011 and construct the following set of sequences
1 1 1 1 1 1 1 11 −1 1 1 −1 1 −1 −11 1 1 −1 1 −1 −1 −11 1 −1 1 −1 −1 −1 11 −1 1 −1 −1 −1 1 11 1 −1 −1 −1 1 1 −11 −1 −1 −1 1 1 −1 11 −1 −1 1 1 −1 1 −1
Each pair of these sequences has zero inner product (orthogonal) becausethe cross correlation at shift 0 is zero.
9/25
Orthogonal Sequences and their Use (2)
• each user i = {1, . . . ,M} has the sequence pi = {pi0, . . . , pin−1}• if user i wants to send data di ∈ {1,−1} he transmits
dipi = {dipi0, . . . , dipin−1}
• when many users transmit simultaneously (say, i and j) s = dipi + djp
j
• data di is recovered by computing inner product
s · pi = (dipi + djp
j) · pi = ndi + 0dj = ndi
Using threshold detectors data can be recovered if user sequences have lowcross-correlation values even when synchronization is lost (sequences areshifted). To ease synchronization and minimize interference between users,we need large families (to support many users) of sequences with small
Cmax = max{Ca,b(τ ) : either a 6= b or τ 6= 0}
10/25
m-Sequences of Different Lengths
{at} and {bt} � binary sequences of length p
C(τ ) =p−1Xt=0
(−1)at+bt+τ for 0 ≤ τ < p .
the cross-correlation function of shift τ . Well studied for a pair ofm-sequencesof the same length.
α primitive element in GF(2m),m even, and β = α2m/2+1;
st = Trm(αt) binarym-sequence of length p = 2m − 1;
ut = Trm/2(βt) binarym-sequence of length 2m/2 − 1 (Kasami family);
vt = udt m-sequence of length 2m/2 − 1 if gcd(d, 2m/2 − 1) = 1;
Cd(τ ) =p−1Xt=0
(−1)st+vt+τ ,
where τ = 0, . . . , 2m/2 − 2.
11/25
m-Sequences of Different Lengths (2)
CrosscorrelationCd(τ ) between {st} and {vt} is at most 4-valued ifm = 2kand d(2l + 1) ≡ 2i (mod 2k − 1) for an integer l with 0 ≤ l < k and i ≥ 0.The following distribution holds
−1− 2k+e occurs 2k−e−122e−1 times
−1− 2k occurs (2k−1)(2e−1−1)2e−1 times
−1 occurs 2k−e − 1 times
−1 + 2k occurs (2k+1)2e−1
2e+1 times ,
where e = gcd(l, k).
• If k > 1 and e = 1 then Cd(τ ) is 3-valued (Cd(τ ) 6= −1− 2k).
• If d = 1 (Kasami family) then Cd(τ ) is 2-valued (−1 and−1− 2k+e).
Conjecture 1 Except for the case whenm = 8 and d = 7, all decimations lead-ing to at most four-valued cross correlation between two m-sequences of di�erentlengths 22k − 1 and 2k − 1 are described above.
Computationally checked form ≤ 32.
12/25
Distribution of Cross Correlation
The set of values of Cd(τ ) + 1 for τ = 0, . . . , 2k − 2 is equal to the set
S(a) =X
x∈GF(2m)(−1)Trm(ax)+Trk(xd(2
k+1))
=X
y∈GF(2m)(−1)Trm(ay2l+1)+Trk(y2k+1) = S0(a)
when a ∈ GF(2k)∗ takingm = 2k and assuming l/e being even.
Proposition 2 Take integers l and k with 0 ≤ l < k such that k/e is odd. Then
S0(a) = 2kX
v∈GF(2k), Fa(v)=0(−1)Trk
�a(l/e+1)c−2v2l+1+v
�,
where Fa(x) = a2lx22l
+ x2l + ax + c with c−1 = δ + δ−1 ∈ GF(2e) for δbeing a primitive (2e + 1)th root of unity over GF(2), and Tre(c) = 1. Moreover,S0(a)2 taken for all a ∈ GF(2k)∗ has the following distribution for l/e even:
0 occurs 2k−e − 1 times
22k occurs 2k+2e−2k+e−2k+122e−1 times
22(k+e) occurs 2k−e−122e−1 times .
13/25
Distribution of Cross Correlation (2)
Lemma 3 For any decimation d with gcd(d, 2k − 1) = 1 the exponential sumS(a) satis�es the following moment identities
Xa∈GF(2k)∗
S(a) = 2k
Xa∈GF(2k)∗
S(a)2 = 22k(2k − 1)
Xa∈GF(2k)∗
S(a)3 = −24k + (λ + 3)2m+k ,
where λ is the number of solutions for x1, x2 ∈ GF(2m)∗ of the equation system
1 + x1 + x2 = 0
1 + xd(2k+1)
1 + xd(2k+1)
2 = 0 .
For the values of d that we consider it is easy to show that λ = 2gcd(l,k) − 2.
14/25
Permutation Polynomials by Dobbertin
A1(x) = x ,
A2(x) = x2l+1 ,
Ai+2(x) = x2(i+1)l
Ai+1(x) + x2(i+1)l−2ilAi(x) for i ≥ 1 ,
B1(x) = 0 ,
B2(x) = x2l−1 ,
Bi+2(x) = x2(i+1)l
Bi+1(x) + x2(i+1)l−2ilBi(x) for i ≥ 1 .
Let gcd(l, k) = 1 and l′ = l−1 (mod k) and de�ne the polynomials
R(x) =l′Xi=1Ai(x) + Bl′(x) and S(x) =
Pl′i=1 x
2il + l′ + 1
x2l+1.
Theorem 4 (Dobbertin) S(x) is a permutation polynomial on GF(2k)∗. (To
be formally more precise, we get a polynomial S(x) if x−(2l+1) is substituted by
x(2k−1)−(2l+1).) Moreover, S(x) and R(x−1) are inverses of each other, i.e., forany nonzero u, v ∈ GF(2k) with S(u) = v−1 it always holds that R(v) = u.
15/25
Polynomial Fa(x) = a2lx22l+ x2l + ax + 1
Lemma 5 R(a−1) is a zero of Fa(x) in GF(2k) for any a ∈ GF(2k)∗.
Thus, it su�ces to analyze the number of zeros of the linearized homoge-neous part of Fa(x) which, after dividing by a−1x, then raising to power 2k−1
and replacing (ax2l−1)2k−1
by z (one-to-one), takes on the form of
Pa(z) = z2l+1 + z + a .
Mi is #a ∈ GF(2k)∗ such that Pa(z) has exactly i zeros in GF(2k)
Theorem 6 For any a ∈ GF(2k)∗ and a positive integer l < k with gcd(l, k) =1 polynomial Pa(x) has either none, one, or three zeros in GF(2k). Further,Pa(x) has exactly one zero in GF(2k) if and only if Trk(R(a−1) + 1) = 1.Finally, the following distribution holds for k odd (respectively, k even)
M0 = 2k+13 (resp. 2k−1
3 )M1 = 2k−1 − 1 (resp. 2k−1)
M3 = 2k−1−13 (resp. 2k−1−2
3 ) .
16/25
Polynomials Ci(x) and Zn(x) over GF(2k)
Take integer l < k and let e = gcd(l, k) so that k = ne.Denoting vi = v2il (i = 0, . . . , n− 1) for any v ∈ GF(2k), let
C1(x) = 1
C2(x) = 1
Ci+2(x) = Ci+1(x) + xiCi(x) for 1 ≤ i ≤ n− 1
Zn(x) = Cn+1(x) + xC2ln−1(x)
D =
0BBBBBBBBBBB@
1 xj · · · 0 0xj
. . . . . . 0... . . . . . . ...
0 . . . . . . xi0 · · · 0 xi 1
1CCCCCCCCCCCAfor j ≤ i and x ∈ GF(2k)
∆x(1, i) = C2i+2(x)
∆x(1, i)2tl = ∆x(1 + t, i + t) for 0 ≤ t ≤ n− 1 ,
where ∆x(j, i) = detD.
17/25
Polynomials Ci(x) and Zn(x) (2)
Proposition 7 Take any v ∈ GF(2ne) \ GF(2e) with n > 1 and let
V =v22l+1
0
(v0 + v1)2l+1. (1)
Then
Cn(V ) =Trnee (v0)
(v1 + v2)
n−1Yj=2
�v0
v0 + v1
�2jl
.
If n is odd (respectively, n is even) then the total number of distinct zeros ofCn(x)
in GF(2ne) is equal to 2(n−1)e−122e−1 (respectively, 2(n−1)e−2e
22e−1 ). All zeros have the form
of (1) with Trnee (v0) = 0 and occur with multiplicity 2l. Moreover, polynomialCn(x) splits in GF(2ne) if and only if e = l or n < 4.
Corollary 8 If n is odd (respectively, n is even) then the total number of distinct
zeros of Zn(x) in GF(2ne) is equal to 2(n+1)e−22e
22e−1 (respectively, 2(n+1)e−2e
22e−1 ). All zeros
have the form of (1) and occur with multiplicity one. Moreover, polynomialZn(x)splits in GF(2ne) if and only if e = l or n = 1.
18/25
Polynomial Pa(x) = x2l+1 + x + a
For any a ∈ GF(2k)∗, polynomial Pa(x) has
• none or exactly two zeros in GF(2k) i� Zn(a) 6= 0;
• exactly two zeros in GF(2k) i� Zn(a) 6= 0 and Tre (Nke(a)/Z2
n(a)) = 0;
• exactly one zero in GF(2k) i� Zn(a) = 0 and Cn(a) 6= 0, this zero is
equal to�aC2l−1
n (a)�2k−1
;
• exactly 2e + 1 zeros in GF(2k) i� Cn(a) = 0.
Mi = #{a | a 6= 0, Pa(x) has exactly i zeros in GF(2k)}If n is odd (resp. n is even) then
M0 = (2k+1)2e−1
2e+1 (resp. (2k−1)2e−1
2e+1 ) ,M1 = 2k−e − 1 (resp. 2k−e) ,
M2 = (2k−1)(2e−1−1)2e−1 (in both cases) ,
M2e+1 = 2k−e−122e−1 (resp. 2k−e−2e
22e−1 ) .
If gcd(l, k) = 1 then Trk(R(a−1) + 1) = 1 i� Zk(a) = 0 and Ck(a) 6= 0.
19/25
Polynomials la(x) = a2lx22l+ x2l + ax and Pa(x)
Theorem 9 (Bluher) For any b ∈ GF(2k)∗, take polynomials
f (x) = x2l+1+b2x+b2 and g(x) = b−1f (bx2l−1) = b2l
x22l−1+b2x2l−1+b
over GF(2k) and let gcd(l, k) = e. Then exactly one of the following holds
(i) f (x) has none or two zeros in GF(2k) and g(x) has none zeros in GF(2k);
(ii) f (x) has one zero in GF(2k) and g(x) has 2e − 1 zeros in GF(2k);
(iii) f (x) has 2e + 1 zeros in GF(2k) and g(x) has 22e − 1 zeros in GF(2k).
LetNi denote the number of b ∈ GF(2k)∗ such that f (x) = 0 has exactly i rootsin GF(2k). Then the following distribution holds for k/e odd (resp., k/e even)
N0 = (2k+1)2e−1
2e+1 (resp. (2k−1)2e−1
2e+1 ) ,N1 = 2k−e − 1 (resp. 2k−e) ,
N2 = (2k−1)(2e−1−1)2e−1 (in both cases) ,
N2e+1 = 2k−e−122e−1 (resp. 2k−e−2e
22e−1 ) .
20/25
Polynomial Fa(x) = a2lx22l+ x2l + ax + c
Here c ∈ GF(2e), and letNi = #{a | a 6= 0, Fa(x) has exactly i zeros in GF(2k)}Proposition 10 Take any a ∈ GF(2k). Then polynomial Fa(x) has exactlyone zero in GF(2k) if and only if Zn(a) 6= 0. Moreover, this zero is equal to
Va = cCn(a)/Zn(a) and Trke(Va) = nc. Also if n is odd (resp. n is even) then
|N1| =2k+2e − 2k+e − 2k + 1
22e − 1(resp.
2k+2e − 2k+e − 2k − 22e + 2e + 1
22e − 1) .
Proposition 11 Take any a ∈ GF(2k)∗. Then polynomial Fa(x) has exactly2e zeros in GF(2k) if and only if Zn(a) = 0 and Cn(a) 6= 0. In this case,
Trke(v) = (n − 1)c for any v ∈ GF(2k) with Fa(v) = 0. Moreover, if n is oddthen these zeros are the following
vµ = cn−1
2Xi=0
C2(2i+1)l
n−1 (a)
C2(2i+1)l+22il−1n (a)
+ µCn(a)
for every µ ∈ GF(2e). Also if n is odd (resp. n is even) then |N2e| = 2k−e − 1(resp. 2k−e).
21/25
The Af�ne Polynomial Fa(x) and S0(a)
Proposition 12 Take any a ∈ GF(2k)∗. Then polynomial Fa(x) has exactly 22e
zeros in GF(2k) if and only if Cn(a) = 0. In this case, Trke(v) = nc for anyv ∈ GF(2k) with Fa(v) = 0. Moreover, if n is odd (resp. n is even) then
M22e =2k−e − 1
22e − 1(resp.
2k−e − 2e
22e − 1) .
Proposition 13 Take integers l and k with 0 ≤ l < k such that n = k/e is odd,where e = gcd(l, k). For any a ∈ GF(2k) the distribution of S0(a) for l/e beingeven is as follows:
− 2k(−1)Tre(Nke(a)/Z
2n(a)) if Zn(a) 6= 0
0 if Zn(a) = 0 and Cn(a) 6= 0− 2k+e if Cn(a) = 0
and for l/e being odd
− 2k if Zn(a) 6= 02k+e if Zn(a) = 0 and Cn(a) 6= 0
− 2k+2e if Cn(a) = 0 .
22/25
Remarkable Connections
Take k odd, gcd(l, k) = 1 and let A1 be the number of solutions of
x + y + z + u = 1x2l+1 + y2l+1 + z2l+1 + u2l+1 = 0x22l+1 + y22l+1 + z22l+1 + u22l+1 = 0
where x, y, z, u ∈ GF(2k) are pairwise distinct. Then
A1 = 2k + 1 + 3G(l)k − 2Ck − 2K
(l)k ,
where
G(l)k =
Xx∈GF(2k)∗
(−1)Trk(x2l+1+x−1) ?=X
x∈GF(2k)∗(−1)Trk(x3+x−1) ,
Ck =X
x∈GF(2k)(−1)Trk(x2l+1+x) =
8<: 2(k+1)/2 if k = ±1 (mod 8)−2(k+1)/2 if k = ±3 (mod 8)
,
K(l)k = 2
XTrk(x)=1
(−1)Trk
�x2
2l+1
(x+x2l)2l+1
�?=
Xx∈GF(2k)∗
(−1)Trk(x+x−1)
23/25
Dickson Polynomials
D0(x) = 0 ,
D1(x) = x ,
Di+2(x) = xDi+1(x) + Di(x)
D2l+1 = x2l+1 + D2k−1(x)
D2l−1 =l−1Xi=0x2l+1−2l−i
Di(x + x−1) = xi + x−i
Theorem 14 Di(x) is a permutation polynomial on GF(2k) i� gcd(i, k2−1) =1. In particular, if gcd(l, k) = 1 then D2l−1 is a permutation polynomial onGF(2k) i� l is odd and D2l+1 is a permutation polynomial on GF(2k) i� l iseven. Moreover LD
2l+1= LD3
if l is odd and LD2l−1
= LD3if l is even, where
Lη(v) := #{x ∈ GF(2k) : η(x) = v} .
24/25
Idea of the Proof
Take equation Fa(x) = 0 and all its 2il powers to obtain n equations
F 2ila (x) = ai+1xi+2 + xi+1 + aixi + c = 0 for i = 0, . . . , n− 1 .
Mn =
0BBBBBBBBBBBBBB@
0 0 · · · a1 1 a0
0 . .. 1 a1 0... . .. . .. . .. . .. ...
an−2 1 . .. 01 an−2 . .. 0 an−1
an−1 0 · · · 0 a0 1
1CCCCCCCCCCCCCCAdetMn = Z2
n(a)
25/25
Idea of the Proof (2)
If Zn(a) = 0 and Bn(a) 6= 0 then µBn(a) (for all µ ∈ GF(2e)) are zeros of
la(x) = a1x22l
+ x2l + a0x
being the linearized homogeneous part ofAa(x) and these are all the roots.
Substitute x = Bn(a)v. All zeros of Aa(x) are also roots of
v2l + v =cB2l
n−1(a)
B2l+1n (a)
= cD ,
which is solvable if and only if Trnee
B2ln−1(a)
B2l+1n (a)
!= 0 (we know that ifZn(a) = 0
and Bn(a) 6= 0 then a = v22l+10
(v0+v1)2l+1
with Trnee (v0) 6= 0). If n is odd then
v = c(D + D22l
+ · · · + D2(n−1)l
) .
What is the explicit solution if n is even?
