The Computational Complexity of Linear Optics - Scott Aaronson
On the linear complexity profile of the power generator
Click here to load reader
Transcript of On the linear complexity profile of the power generator
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 6, SEPTEMBER 2000 2159
On the Linear Complexity Profile of thePower Generator
Frances Griffin and Igor E. Shparlinski
Abstract—We obtain a lower bound on the linear complexityprofile of the power generator of pseudo-random numbers moduloa Blum integer. A different method is also proposed to estimatethe linear complexity profile of the Blum–Blum–Shub generator.In particular, these results imply that lattice reduction attacks onsuch generators are not feasible.
Index Terms—Blum–Blum–Shub generator, cryptography,linear complexity profile, power generator, RSA generator.
I. INTRODUCTION
L ET , , and be integers such that .Then one can define the sequence by the recurrence
relation
(1)with the initial value .
This sequence is known as thepower generatorof pseudo-random numbers and has many applications to cryptography,see [1], [5], [14], and [21].
In two special cases , where is theEuler function, and this sequence is known as theRSAgeneratorand as theBlum–Blum–Shub generator, respectively.
It is obvious that the sequence (1) eventually becomes pe-riodic with some period . Throughout this paperwe assume that this sequence ispurely periodic, that is, that
beginning with . It is easy to see that ifthis is always the case, otherwise we con-
sider a shift of the original sequence.Various properties of the power generator have been studied
in a number of papers [1], [2], [4]–[9], [11], [14], [16], [20],[21]. For example, it is shown in [4] that the rightmost bit ofthe Blum–Blum–Shub generator takes valuesand almostequally often, provided that the period is large enough. For theRSA generator, the distribution of strings of leftmost and right-most bits of has been studied in [7] and [9]. In particular, itis shown in [9] that if the periodof the sequence satisfiesthe inequality for some fixed then the frac-tions are uniformly distributed in theinterval .
Here we study one more important characteristic of this se-quence.
Manuscript received October 7, 1998; revised April 7, 2000.The authors are with the Department of Computing, Macquarie University,
NSW 2109, Australia (e-mail: fgriffin @ics.mq.edu.au; [email protected]).Communicated by D. Stinson, Associate Editor for Complexity and Cryptog-
raphy.Publisher Item Identifier S 0018-9448(00)06989-3.
We recall, that thelinear complexity profile of aninfinite sequence over the residue ring modulo is thefunction which for every integer is defined as the order
of the shortest linear recurrence relation
which is satisfied by this sequence, see [5], [16]–[19].The largest value
is called thelinear complexityof the sequence.Obviously, for some sequences the linear complexity can be
equal to infinity. However, for the linear complexity of any pe-riodic sequence of periodone easily verifies that
In this paper, we study the most important case for applica-tions when . Such numbers are calledBlum integers(sometimes it is also requested that they satisfy additional con-ditions such as that ). In fact, this result isbased on a similar estimate for a prime . Moreover, onecan obtain similar results for any integer having only largeprime divisors.
For a Blum integer , the lower bound
has been obtained in [20], and it has been shown that ifis oforder , this bound is almost optimal. This bound is derivedfrom the bound
(2)
which holds when is prime. We note that it has beenproved in [8] that for almost all values of the parameters of theRSA generator the corresponding sequence indeed has periodof order .
Here we generalize these results and obtain lower bounds onthe linear complexity profile of the power generator modulo aBlum integer. Our bound is nontrivial when the periodsatisfiesthe inequality . In this case the bound applies toall values of beginning with for anyand sufficiently large .
Our results demonstrate that the power generator does notcontain any hidden linear structure. In particular, this rules outa possibility of the lattice reduction attack on this generator and
0018–9448/00$10.00 © 2000 IEEE
2160 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 6, SEPTEMBER 2000
even its truncated versions, see [13], [14] where such attacks onthe linear congruential generator
where and are integers with , have beendescribed.
We also propose an alternative method which works for smallvalues of and which we demonstrate in the most important caseof the Blum–Blum–Shub generator, that is, for .
II. A UXILIARY RESULTS
We need the following two simple statements.
Lemma 1: Let and be integers. Let be the largestpositive integer for which the powers aredistinct modulo . Then for any and ,there exists an integer, , such that the congruence
has
solutions.Proof: It is easy to see that
and the lemma follows.
Lemma 2: Let a sequence satisfy a linear recurrencerelation of order over a field . Then for anypairwise-distinct nonnegative integers there exist
, not all equal to zero, such that
Proof: It is easy to see that the set of all solutions of anylinear recurrence relation over any fieldis a linear space ofdimension over , for example, see [15, Ch. 8]. Therefore,any solutions are linear dependent. In particular, thesequences are linear dependent.
We also need the following statements which are partial casesof much more general results of [3], [10], [12].
Lemma 3: Let a sequence satisfy a linear recurrencerelation of order over a field . Then the sequence of squares
satisfies a linear recurrence relation of order at most.
Lemma 4: Let sequences and satisfy linear recur-rence relations of order and , respectively, over a field .Then the sequence satisfies a linear recurrence rela-tion of order at most .
III. GENERAL ESTIMATES
Now we are prepared to formulate our estimates for the RSAgenerator. First of all we consider the case of prime modulus.
Theorem 5: Let be prime. Assume that a sequence, given by (1) with , is pure periodic with period.
Then for the linear complexity profile the bound
holds.Proof: As we have mentioned, for .
We now assume that . Put
Let be the largest positive integer for which the powers,are distinct modulo . Obviously
From Lemma 1 we see that there exists, ,such that the number of solutionsof the congruence
satisfies
Let and be the corresponding values ofand , respectively.Assume that . Let be a linear recurrence
sequence of order with forwhich satisfies the same linear recurrence relation as the first
terms of the sequence . Thus in fact for.
From Lemma 2 we see that there exist integersnot all equal to zero modulo, such that
for all .Remarking that
for all with
we conclude that
for such . In particular, it holds for because inthis case
GRIFFIN AND SHPARLINSKI: ON THE LINEAR COMPLEXITY PROFILE OF THE POWER GENERATOR 2161
Because , we conclude thatthe nonzero modulo polynomial
of degree
has at least distinct zeros , modulo, which is impossible. Hence , and the desired
result follows.
We use Theorem 5 to estimate the linear complexity profilemodulo a Blum integer.
Theorem 6: Let , where and are two distinctprimes. Assume that the sequence , given by (1), is pureperiodic with period . Then, for , for the linear com-plexity profile the bound
holds.Proof: Let be the period of the sequence modulo
and let be the period of the sequence modulo . Obvi-ously, . Assume that . Let be the linearcomplexity profile of the sequence taken modulo . Obvi-ously, . Therefore, from Theorem 5 and thebound (2) we derive
Taking into account that and , weobtain the desired statement.
IV. THE BLUM–BLUM–SHUB GENERATOR
For small , an alternative approach has been described in[20]. Although we still do not know how to apply it to estimatingthe linear complexity , surprisingly enough, it can be com-bined with the lower bound (2) and thus can produce nontrivialestimates on .
We demonstrate this approach for the very important case, which is not covered by Theorems 5 and 6. The result
can be easily extended to other values ofbut it weakens quitequickly when grows.
Theorem 7: Let be prime. Assume that a sequenceis given by (1) with and and let be the
period of this sequence. Then for the linear complexity profilethe bound
holds.Proof: Let be a sequence over , whose initial seg-
ment of length coincides with that of , that is, ,and which satisfies the same linear recur-
rence equation as the first terms of . From Lemmas 3and 4 we see that the sequence is of order
On the other hand, it has consecutive zeros forso, unless this sequence is the all-zeros sequence
Therefore,
in this case.Otherwise, that is, if is the all-zeros sequence,
we have for all . Since we also havethen for every . Hence
in this case, and we obtain the desired result.
From Theorem 7 and the bound (2) we see
(3)
As before, we use Theorem 7 to estimate the linear com-plexity profile modulo a Blum integer.
Theorem 8: Let , where and are two distinctprimes. Assume that the sequence is given by (1) with
and let be the period of this sequence. Then, for thelinear complexity profile the bound
holds.Proof: Let be the period of the sequence modulo
and let be the period of the sequence modulo . Obvi-ously, . Therefore,
Without loss of generality we may assume that
Let be the linear complexity profile of the sequencetaken modulo . Obviously, and from thebound (3) we derive the desired statement.
We remark that if then the bound of Theorem8 is nontrivial for any value of .
V. REMARKS
Of course, Theorem 5 allows us to derive lower bounds onthe linear complexity of the RSA generator modulo any integer
without small prime divisors. On the other hand, it would beof interest to obtain a general lower bound which is nontrivialfor, say, large powers of small prime numbers.
We also remark that all our results can be extended to intervals.
2162 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 6, SEPTEMBER 2000
It would also be interesting to extend the results of this paperas well as the results of [7], [20] to the case of theexponentialgenerator
which also has numerous cryptographic applications [5], [14].
ACKNOWLEDGMENT
The authors wish to thank H. Niederreiter for consultationson the theory of linear complexity of sequences.
REFERENCES
[1] L. Blum, M. Blum, and M. Shub, “A simple unpredictable pseudo-random number generator,”SIAM J. Comput., vol. 15, pp. 364–383,1986.
[2] J. J. Brennan and B. Geist, “Analysis of iterated modular exponentiation:The orbit ofx mod N ,” Des., Codes Cryptogr., vol. 13, pp. 229–245,1998.
[3] E. Çakçak, “A remark on the minimal polynomial of the product of linearrecurring sequences,”Finite Fields and Their Appl., vol. 4, pp. 87–97,1998.
[4] T. W. Cusick, “Properties of thex mod N pseudorandom number gen-erator,”IEEE Trans. Inform. Theory, vol. 41, pp. 1155–1159, July 1995.
[5] T. W. Cusick, C. Ding, and A. Renvall,Stream Ciphers and NumberTheory. Amsterdam, The Netherlands: Elsevier, 1998.
[6] R. Fischlin and C. P. Schnorr,Stronger Security Proofs for RSA andRabin Bits’ (Lecture Notes in Computer Science). Berlin, Germay:Springer-Verlag, 1997, vol. 1233, pp. 267–279.
[7] J. B. Friedlander, D. Lieman, and I. E. Shparlinski, “On the distributionof the RSA generator,” inProc. Int. Conf. Sequences and Their Appli-cations (SETA’98), Singapore. London, U.K.: Springer-Verlag, 1999,pp. 205–212.
[8] J. B. Friedlander, C. Pomerance, and I. E. Shparlinski, “Period of thepower generator and small values of Carmichael’s function,”Math.Comput., to be published.
[9] J. B. Friedlander and I. E. Shparlinski, “On the distribution of the powergenerator,”Math. Comput., to be published.
[10] R. Göttfert and H. Niederreiter, “On the minimal polynomial of theproduct of linear recurring sequences,”Finite Fields and Their Appl.,vol. 1, pp. 204–218, 1995.
[11] J. Håstad and M. Näslund, “The security of individual RSA bits,” inProc39th IEEE Symp. Foundations of Computer Science, 1998, pp. 510–519.
[12] T. Herlestam, “On functions of linear shift register sequences,” inLec-ture Notes in Computer Science. Berlin, Germany: Springer-Verlag,1987, vol. 291, pp. 119–129.
[13] A. Joux and J. Stern, “Lattice reduction: A toolbox for the cryptanalyst,”J. Cryptol., vol. 11, pp. 161–185, 1998.
[14] J. C. Lagarias, “Pseudorandom number generators in cryptography andnumber theory,” inProc. Symp. Applied Maththematics. Providence,RI: Amer. Math. Soc., 1990, vol. 42, pp. 115–143.
[15] R. Lidl and H. Niederreiter,Finite Fields. Cambridge, U.K.: Cam-bridge Univ. Press, 1997.
[16] A. J. Menezes, P. C. van Oorrschot, and S. A. Vanstone,Handbook ofApplied Cryptography. Boca Raton, FL: CRC , 1996.
[17] H. Niederreiter, “Some computable complexity measures for binary se-quences,” inProc. Int. Conf. Sequences and Their Applications, Singa-pore, 1998.
[18] H. Niederreiter and M. Vielhaber, “Linear complexity profiles: Hausdorfdimension for almost perfect profiles and measures for general profiles,”J. Compl., vol. 13, pp. 353–383, 1996.
[19] R. A. Rueppel, “Stream ciphers,” inContemporary Cryptology: The Sci-ence of Information Integrity. New York: IEEE, 1992, pp. 65–134.
[20] I. E. Shparlinski, “On the linear complexity of the power generator,”Des., Codes Cryptogr., to be published.
[21] D. R. Stinson,Cryptography: Theory and Practice. Boca Raton, FL:CRC, 1995.