Linear complexity of some sequences derived from hyperelliptic curves of genus 2
aa r X i v : . [ m a t h . N T ] F e b LINEAR COMPLEXITY OF SOME SEQUENCES DERIVED FROMHYPERELLIPTIC CURVES OF GENUS 2
VISHNUPRIYA ANUPINDI AND L ´ASZL ´O M´ERAI
Abstract.
For a given hyperelliptic curve C over a finite field with Jacobian J C , weconsider the hyperelliptic analogue of the congruential generator defined by W n “ W n ´ ` D for n ě D, W P J C . We show that curves of genus 2 produce sequences withlarge linear complexity. Introduction
Let F q be a finite field with characteristic p ě C of genus g ě C : Y “ f p X q , where f p X q P F q r X s is a monic polynomial of degree 2 g ` F q -rational points of C by C p F q q , which are the solutions over F q of thedefining equation (1.1) together with a point O at infinity. By the Hasse-Weil bound [29,Theorem 5.2.3], we have(1.2) || C p F q q| ´ p q ` q| ď gq { . Unlike elliptic curves (curves with genus g “ g ě
2) do not form an additive group. However, one can define a groupoperation by introducing the
Jacobian J C of the curve C .For an affine point P “ p x, y q P C , we write ´ P “ p x, ´ y q (and ´ O “ O ). A divisor D of C p F q q is an element of the free abelian group over the points of C p F q q , e. g. D “ ř P P C p F q q n P P with n P P Z and n P “ P .Then any element D P J C of the Jacobian can be uniquely represented as a reduceddivisor ψ p D q “ P ` ¨ ¨ ¨ ` P r ´ r O , where 1 ď r ď g , O is the point of C at infinity, P , . . . , P r P C , P i ‰ O , ď i ď r and P i ‰ ´ P j , 1 ď i ă j ď r . The element D is said to be defined over F q if the Frobenius endomorphism , defined by σ pp x, y qq “ p x q , y q q permutes the set t P , . . . , P r u . Mathematics Subject Classification.
Key words and phrases. elliptic curve, hyperelliptic curve, linear complexity, congruential generator.
We use J C p F q q to denote the set of elements of J C which are defined over F q . It followsfrom the Hasse-Weil Theorem [29, Theorem 5.1.15 and 5.2.1], that(1.3) p q { ´ q g ď | J C p F q q| ď p q { ` q g . It is common to represent the elements of the Jacobian by the
Mumford representation [25].Let D P J C p F q q , then the Mumford representation η p D q is a pair r u, v s of polynomials suchthat(a) u is monic,(b) u divides f ´ v ,(c) deg p v q ă deg p u q ď g .Let ψ p D q “ ř ri “ P i ´ r O , where P , . . . , P r P C , P i ‰ O , ď i ď r and P i ‰ ´ P j ,1 ď i ă j ď r . Put P i “ p x i , y i q . Then u “ ś ri “ p X ´ x i q and v p x i q “ y i is of the samemultiplicity as P i in ψ p D q .One can define a group operation, denoted by ` , on the Jacobian J C . In Mumfordcoordinates, the group operation can be computed using Cantor’s algorithm [2]. Thisalgorithm can be made highly effective for small genus, which is the most important casein cryptographic applications. See for example [18] for the case of genus g “ J C p F q q . Namely, let D P J C p F q q and define the sequence(1.4) W n “ D ` W n ´ “ nD ` W , n “ , , . . . , with some initial value W P J C p F q q .In the special case g “
1, that is, when C is an elliptic curve and J C – C , the sequence p W n q has been suggested as a pseudorandom number generator in [12] and later manypseudorandom properties of this sequence have been studied [1, 3, 5, 9, 10, 14, 22–24, 30].In particular, the linear complexity of the coordinates of p W n q has been studied [14, 24,30]. We recall, that the N -th linear complexity L p s n , N q of a sequence p s n q over the finitefield F q is defined as the smallest non-negative integer L such that the first N terms of thesequence p s n q can be generated by a linear recurrence relation over F q of order L , i.e. thereexist c , c , . . . , c L ´ P F q such that s n ` L “ c s n ` c s n ` ` ¨ ¨ ¨ ` c L ´ s n ` L ´ , ď n ď N ´ L ´ . The N -th linear complexity measures the unpredictability of a sequence and thus is animportant figure of merit in cryptography. Clearly, large linear complexity is a desired(but not sufficient) property for such applications. For more details, see [21, 26, 31].Hess and Shparlinski [14] estimated the linear complexity of the coordinates for theelliptic curve analog of (1.4). Namely, let x p¨q and y p¨q be the coordinate functions ofthe curve such that for any affine point P “ p x p P q , y p P qq . Among others, Hess andShparlinski [14] proved L p x p W n q , N q ě min " N , t * , where t is order of D , see also [24, 30]. INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 3
In this paper, we estimate the linear complexity of the Mumford coordinates of thesequence p W n q defined by (1.4) for hyperelliptic curves of genus g “
2. More precisely, for D P J C p F q q , let η p D q “ r u p D q , v p D qs be its Mumford representation and write(1.5) u p D q “ u p D q X ` u p D q X ` u p D q and v p D q “ v p D q X ` v p D q , where u p D q , u p D q , u p D q , v p D q , v p D q P F q . By (a), u p D q is monic and thus u p D q “ q values D and otherwise u p D q “
0. Thus, one cannot expectstrong randomness properties of it. However, for the other coefficients, our result impliesthe lower bound for the linear complexity(1.6) L p u p W n q , N q ě Z c min t t, N u q ^ , for some absolute and explicit constant c ą
0, where t is the order of D , see Theorem 4.1.A similar bound holds for the other coefficients in (1.5) (except for u ).The most promising case is when the Jacobian J C p F q q is close to being a cyclic group,and D has order t “ q ` o p q (cf. (1.3)).In Section 2, we recall and prove the necessary tools concerning the arithmetic of hy-perelliptic curves. In particular, we recall the Grant representation [11] of the Jacobian ofhyperelliptic curves of genus g “ Arithmetic of hyperelliptic curve with genus g “ C be the hyperelliptic curve defined by (1.1) with f p X q “ X ` b X ` b X ` b X ` b X ` b P F q r X s , for the finite field F q with characteristic char p F q q ‰
2. Let F q be the algebraic closure of F q .2.1. Grant representation.
The Jacobian J C is an abelian variety of dimension 2 [15,Theorem A.8.1.1]. In [11], Grant provides an embedding of J C into the projective space P . Namely, the Jacobian J C can be identified with the vanishing locus of 13 homogenouspolynomials, J C – V p f h , . . . , f h q “ t z P P : f hi p z q “ , ď i ď u , where f hi P F q r Z , Z , Z , Z , Z , Z , Z , Z , Z s are homogenized with respect tothe variable Z . For the expressions f hi , see Appendix A.1.Let(2.1) Θ p F q q “ t D P J C p F q q : ψ p D q “ P ´ O , P P C p F q qu V. ANUPINDI AND L. M´ERAI be the preimage of C p F q q ´ O under ψ . Also write Θ “ Θ p F q q . Let ι : J C Ñ P be theembedding, then(2.2) ι p D q “ $’&’% p z : z : z : z : z : z : z : z q if D P J C z Θ , p q if D “ O , p ´ x : ´ x : ´ x : 1 : ´ y q if D P Θ z O . For D P J C p F q qz Θ p F q q , the components z ij , z ijk of ι p D q can be expressed as rationalfunctions in the coordinates p x , x , y , y q of ψ p D q “ p x , y q ` p x , y q ´ O . Moreover,the Mumford representation η p D q “ r u, v s “ r X ` u X ` u , v X ` v s can also beexpressed with respect to p x , x , y , y q . Namely, write ψ p D q “ p x , y q ` p x , y q ´ O ,if η p D q “ r u, v s “ r X ` u X ` u , v X ` v s , then the relation between ι p D q and η p D q isgiven as follows:For the case x ‰ x , we have z “ ´ x x “ ´ u , z “ x ` x “ ´ u , (2.3) z “ x y ´ x y x ´ x “ v , z “ y ´ y x ´ x “ v ,z “ p x ` x qp x x q ` b p x x q ` b p x ` x q x x ` b x x p x ´ x q ` b p x ` x q ` b ´ y y p x ´ x q . For the case x “ x and y “ y ‰
0, we consider the identifications on page 109 of [11]and after performing some elementary computations, we obtain: z “ ´ x “ ´ u , z “ x “ ´ u z “ ´ f p x q y x ` y “ v , z “ f p x q y “ v ,z “ ´ f p x q y ¯ ´ x ´ b x ´ b x ´ b For the case x “ x and y “ ´ y , we obtain η p D q “ r u, v s “ r , s and ι p D q “ p q .The coordinates z , z and z are given by the defining polynomials f , f and f respectively. See Appendix A.2.We denote the affine part of J C under ι with respect to Z by U . Then U “ J C z Θ . Moreover, by [11, Corollary 2.15], we have U “ V p f , . . . , f q , f i P F q r Z s “ F q r Z , Z , Z , Z , Z , Z , Z , Z s . Since J C is a variety, it is irreducible. It follows that U is irreducible and dense, see [13,Example 1.1.3 ]. Since J C has dimension 2, the dimension of U is also 2. INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 5
Let F q p U q be the function field of U . Since U is a dense open subset of J C , one can showthat F q p U q “ F q p J C q , see [13, Theorem 3.4].Let h P F q p U q be a rational function. Since h is an equivalence class, we can choose arepresentative element h h , where deg h is minimal and we definedeg h “ max t deg h , deg h u . Group law.
We describe the group law p Q, R q ÞÑ Q ` R for the most common case,that is, if all elements Q, R, Q ` R, Q ´ R belong to U , see [11, Theorem 3.3]. Lemma 2.1.
Assume that
Q, R, Q ` R, Q ´ R P U . We write (2.4) q p Q, R q “ z p Q q ´ z p R q ` z p Q q z p R q ´ z p R q z p Q q . Then there are rational functions q , q , q , q , q , q on U ˆ U such that for ď i ď j ď we have (2.5) z ij p Q ` R q “ ´ z ij p Q q ´ z ij p R q ` ˆ q i p Q, R q q p Q, R q ˙ ˆ q j p Q, R q q p Q, R q ˙ ´ ˆ q ij p Q, R q q p Q, R q ˙ and z p Q ` R q “ ´ z p Q q ´ z p R q ` q p Q, R q q p Q, R q q p Q, R q ´ q p Q, R q q p Q, R q´ ˆ q p Q, R q q p Q, R q ˙ ` p z p Q q ` z p R qq q p Q, R q q p Q, R q ,z p Q ` R q “ ` z p Q ` R q z p Q ` R q ´ z p Q ` R q ` b z p Q ` R q ´ b ˘ . (2.6)The definitions of the rational functions q, q , q , q , q , q , q are in Appendix A.3.We also computed formulas for z , z , z which are listed in Appendix A.3.For a fixed R P U , we define(2.7) z Rij p Q q “ z ij p Q ` R q , z Rijk p Q q “ z ijk p Q ` R q , z R “ z p Q ` R q . If we consider z Rij p Q q , z Rijk p Q q to be polynomials in the variables z ij p Q q , z ijk p Q q and z p Q q ,then it follows from (2.5), (2.6) and Appendix A.3 that(2.8) deg z Rij ď z Rijk ď z R ď . Lemma 2.2.
Let q p Q, R q be defined by (2.4) and set q R p Q q “ q p Q, R q . Then for any fixed R P U , the zero set t q R p Q q “ q p Q, R q “ u has dimension one and Θ ˘ R Ă t q R “ u .Moreover if R ‰ ˘ R , then (2.9) |t q R “ u X t q R “ u X U | ď . Proof.
Let ¯ C be the lifted curve of C defined over some number field K and let p be aprime ideal such that C ” ¯ C mod p . For ¯ C , the zero set of q ¯ R is Θ p ¯ K q ˘ ¯ R , see [11]. Thus,the points in Θ ˘ R are zeros of q R . We show that(2.10) t q R “ u X U V. ANUPINDI AND L. M´ERAI has dimension one. As U is irreducible, it is enough to show that (2.10) is a proper subset.Indeed, suppose that q R vanishes on U . Let Q , Q P U p F q q corresponding to the pairs ofpoints p P , P q and p P , ´ P q with(2.11) P i “ p x i , y i q , y i ‰ , i “ , . Then their first component in the Mumford representation are the same, but with differentsecond components.Substituting to q R , we get by the assumption that q R p Q q “ q R p Q q “ y y “ ´ y y which contradicts (2.11).In order to show (2.9) for R ‰ ˘ R , R, R P U , consider U as embedded in A withrespect to the coordinates z , z , z , z , z , z , z , z . Then for all R P U , q R “ A . Thus the hyperspaces correspondingto R and R are the same if z p R q “ z p R q , z p R q “ z p R q and z p R q “ z p R q and thus R “ ˘ R .Consider the solutions q R p z , z , z q “ q R p z , z , z q “ , where p z , z , z , z , z , z , z , z q P U . As R ‰ ˘ R , the hyperplanes defined by q R and q R are distinct. Moreover, the linear equation system q R p z , z , z q “ z ´ z p R q ` z z p R q ´ z p R q z “ ,q R p z , z , z q “ z ´ z p R q ` z z p R q ´ z p R q z “ ˆ a a a a ˙ ¨˝ z z z ˛‚ “ ˆ c c ˙ with p a , a q ‰ p , q . As p z , z , z , z , z , z , z , z q P U , we can write z “ z z ` b z ´ b z z ´ b z ` b z ` b ´ y y z ` z , (2.13)where y , y are the y -coordinate of the points p x , y q , p x , y q P C such that(2.14) x x “ ´ z and x ` x “ z . Substituting (2.12) into (2.13), we obtain2 y y “p z ` z q p a z ` a z ´ c q ` z z ` b z ´ b z z ´ b z ` b z ` b . Taking the square and substituting y i “ f p x i q , ( i “ , INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 7 f p x q f p x q “ ´ p z ` z q p a z ` a z ´ c q ` z z ` b z (2.15) ´ b z z ´ b z ` b z ` b ¯ . Assume, that a ‰
0. The case a “ a ‰ g p z , z q “ z p a z ` a z q ` z z . First, we consider the case that(2.16) g p z , z q “ g ˆ c ´ a z a , z ˙ has degree 3. As f p x q f p x q is a symmetric polynomial in x and x , by (2.14) we canwrite f p x q f p x q “ F p z , z q , F P F q r z , z s , deg F ď . Hence, after the substitution z “ p c ´ a z q{ a , the polynomial equation (2.15) isnon-trivial with degree at most 6. Thus, by (2.12), we obtain at most 12 possible solutionsfor p z , z , z , z , z , z , z , z q .Now consider the case, when (2.16) has degree at most two. By (2.14) and (2.17) wehave(2.17) x “ c ´ a x a ´ a x . Then substituting it into (2.15), after clearing the denominator, we get that the left-handside has degree 10 while the right-hand side has degree at most 9. Thus, there are at most10 solutions for x , and therefore at most 20 solutions for p z , z , z , z , z , z , z , z q by (2.12), (2.14) and (2.17) which proves the result. (cid:3) Lemma 2.3.
For D P U p F q q we have |t Θ p F q q ` D u X Θ p F q q| ď . Proof.
We want to count the number of elements P i P Θ p F q q such that P i ` D “ P j for some P j P Θ p F q q . Since D P U p F q q , we have ψ p D q “ $’&’% P ` Q ´ O , P, Q P C p F q q , P ‰ Q, P ´ O , P P C p F q q ,P ` Q ´ O , P , Q P C p F q q , P , Q are conjugates over F q . V. ANUPINDI AND L. M´ERAI If ψ p D q “ P ` Q ´ O , P, Q P C p F q q , P ‰ Q , then for ψ p P i q “ ´ P ´ O , ψ p P i ` D q “ Q ´ O P Θ p F q q´ Q ´ O , ψ p P i ` D q “ P ´ O P Θ p F q q , we get 2 intersection points.If ψ p D q “ P ´ O , P P C p F q q , then for ψ p P i q “ ´ P ´ O , we get ψ p P i ` D q “ P ´ O P Θ p F q q . We only get one intersection point.If ψ p D q “ P ` Q ´ O , P , Q P C p F q q and P , Q are conjugates over F q , we get nointersection points, since if P i ` D “ P j , where P i , P j P Θ p F q q , with ψ p P i q “ Q i ´ O and ψ p P j q “ Q j ´ O , Q i , Q j P C p F q q we get ψ p D q “ P ` Q ´ O “ ψ p P j ` p´ P i qq “ Q j ´ Q i ´ O which is a contradiction. (cid:3) Proposition 2.4.
Let h P F q p U q be a rational function with pole divisor of the form n Θ ,for n ě . Let W P J C p F q q and D P J C p F q q be an element of order t . Let L be a positiveinteger with (2.18) L ă min " t ´ ´ | Θ p F q q| , | Θ p F q q| ´ * . Let j ă j ă ¨ ¨ ¨ ă j L ď L ` | Θ p F q q| ` be positive integers such that j i D ` W R Θ p F q q .Let c , . . . , c L P F q with c L ‰ . Then the rational function H P F q p U q , with H p Q q “ L ÿ l “ c l h p Q ` j l D ` W q is non-constant and has degree deg H ď p L ` q deg h. Proof.
First, we consider the case when W “
0. Defining the function h D : Q ÞÑ h p Q ` D q yields H p Q q “ L ´ ÿ l “ c l h j l D p Q q ` c L h j L D p Q q . We show that there exists Q P U such that it is a pole of h j L D , but not a pole of any otherterms h j l D , for j l ă j L .Observe that h j L D has a pole at Q when Q P Θ p F q q ´ j L D . From Lemma 2.2, we knowthat Θ p F q q ´ j L D Ď t q j L D “ u . Moreover, it follows from Lemma 2.3, that(2.19) | Θ p F q q ´ j L D | ě | Θ p F q q| ´ . By (2.18), we have j l ` j L ď j L ´ ` j L ď L ` | Θ p F q q| ` ă t, for any l ă L , whence j l D ‰ ´ j L D for j l ă j L . Then by Lemma 2.2, we obtain ˇˇˇ´ p Θ p F q q ´ j L D q X U ¯ X t q j l D “ u ˇˇˇ ď |t q j L D “ u X t q j l D “ u X U | ď . INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 9
Thus, by (2.19) we have that ˇˇˇˇˇ´ p Θ p F q q ´ j L D q X U ¯ z ˜ L ´ ď l “ t q j l D “ u ¸ˇˇˇˇˇ (2.20) “ ˇˇˇˇˇ L ´ č l “ ˆ´ p Θ p F q q ´ j L D q X U ¯ zt q j l D “ u ˙ˇˇˇˇˇ ě | Θ p F q q| ´ ´ L. By (2.18), the set in (2.20) is non-empty, and thus there exists a point Q which is a poleof h j L D but not a pole of any other term of H . Hence, H is non-constant.In the case when W ‰
0, we can define r H p Q q “ H p Q ´ W q “ L ÿ l “ c l h p Q ` j l D ` W ´ W q . Then, by the case Ă W “ W ´ W “
0, we obtain that r H is non-constant. Therefore, thereexist Q , Q P U such that r H p Q q ‰ r H p Q q . Hence, we obtain H p Q ´ W q ‰ H p Q ´ W q . This proves that H is non-constant.To estimate the degree of H , we first estimate the degree of the functions h j l D . Let l bearbitrary, define R “ j l D ` W , Let z Rij , z
Rijk , z R be as defined in (2.7), then we can write h R p Q q as h R p Q q “ h ` Q ` R ˘ “ h ` z R p Q q , . . . , z R p Q q , z R p Q q ˘ . It follows from (2.8) thatdeg h R ď p deg h q ` max t deg z Rij , deg z Rijk , deg z R u ˘ “ h, and thus deg H ď deg ˆ L ÿ l “ c l h R ˙ ď p L ` qp deg h q . In particular, the degree does not depend on W . (cid:3) Further preliminaries
Linear complexity.
We need the following result on linear complexity, see [20,Lemma 6].
Lemma 3.1.
Let p s n q be a linear recurrent sequence of order L over any finite field F q defined by a linear recursion s n ` L “ c s n ` ¨ ¨ ¨ ` c L ´ s n ` L ´ , n ě . Then for any T ě L ` and pairwise distinct positive integers j , . . . , j T , there exist a , . . . , a T P F q , not all equal to zero, such that T ÿ i “ a i s n ` j i “ , n ě . Vanishing loci of polynomials.
Let K be a field and for polynomials f , . . . , f k P K r X s with X “ p X , . . . , X n q . We denote V K p f , . . . , f k q “ t x P K n : f p x q “ ¨ ¨ ¨ “ f k p x q “ u and V p f , . . . , f k q “ V K p f , . . . , f k q . The following result is a multidimensional version of B´ezout’s Theorem, see [27, Theo-rem 3.1].
Lemma 3.2.
Assume, that f , . . . , f k P K r X s and dim V p f , . . . , f k q ď . Then | V p f , . . . , f k q| ď k ź i “ deg f i . Main results
Recall, that for D P J C p F q q we have defined the sequence p W n q recursively by (1.4),namely W n “ D ` W n ´ “ nD ` W , n “ , , . . . , with some initial value W P J C p F q q . We can assume, that D, W P J C p F q q and thus allsequence elements are defined over F q . Let h P F q p J C q and consider the sequence(4.1) w n “ h p W n q , n “ , , . . . with the convention that, if h is not defined at W n , we set w n “
0. Clearly, p W n q and p w n q ,are purely periodic sequences, and if t is the order of D in J C p F q q , then t is the periodlength of p W n q . However, p w n q may have a smaller period length. Theorem 4.1.
Let C be a hyperelliptic curve of genus . Let h P F q p U q be a rationalfunction in the function field of the Jacobian with pole divisor of the form n Θ , for n ě .If W P J C p F q q and D P J C p F q q is of order t and w n is defined by (4.1) , then L p w n , N q ě Z c min t t, N u q deg h ^ for some absolute constant c ą . Theorem 4.1 yields a lower bound on the linear complexity of the components (1.5) inthe Mumford representation of p W n q . Clearly, u is constant on U . However, applying theresult for h “ ´ z , ´ z , z and z and observing that Θ is a pole of them (cf. (2.2)),we get a lower bound on the linear complexity of the components u , u , v and v by (2.3).As all functions ´ z , ´ z , z and z have degree one, we get (1.6). INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 11
The result is non-trivial if t ą cq for some constant which may depend on deg h . However,the most important case is that t is close to | J C p F q q| which is p ` o p qq q by (1.3). Proof.
Let Θ p F q q be defined as in (2.1). Then by (1.2) we have | Θ p F q q| “ | C p F q q| “ q ` O p q { q . We can assume(4.2) N ě | Θ p F q q| ` q ` L ă min " t ´ ´ | Θ p F q q| ´ q | Θ p F q q| , N ´ ´ | Θ p F q q| ´ q | Θ p F q q| ` , t ´ ´ | Θ p F q q| , | Θ p F q q| ´ * since otherwise, we can choose the absolute constant c small enough so that the theoremholds trivially.Let L be the N th linear complexity of the sequence p w n q and let c , . . . , c L P F q suchthat w n ` L “ c w n ` ¨ ¨ ¨ ` c L ´ w n ` L ´ , ď n ď N ´ L ´ . Let p s n q be the infinite linear recurrent sequence with s n “ w n for 0 ď n ă N and s n ` L “ c s n ` ¨ ¨ ¨ ` c L ´ s n ` L ´ , n ě . Let(4.4) 1 ď j ă ¨ ¨ ¨ ă j L ď | Θ p F q q| ` L ` W j i R Θ , ď i ď L . Then by Lemma 3.1, there exist a . . . , a L P F q not all equal to zero, such that L ÿ i “ a i s n ` j i “ , n ě , whence,(4.5) L ÿ i “ a i w n ` j i “ , ď n ă min t N ´ j L , t u as w n “ s n for 0 ď n ď N .We define(4.6) T “ min t N ´ j L , t u and put N “ ! ď n ă T : nD, nD ˘ p j i D ` W q R Θ p F q q , for 0 ď i ď L ) . We observe that there are at most | Θ p F q q| points nD P Θ p F q q and similarly for each j “ ˘ j i ( i “ , . . . , L ), there are 2 | Θ p F q q| elements nD ˘ p j i D ` W q P Θ p F q q . Hence, by(4.3) we have,(4.7) | N | ě T ´ L | Θ p F q q| ´ | Θ p F q q| ą | Θ p F q q| ` p q ` q . Define(4.8) H p Q q “ L ÿ i “ a i h p Q ` j i D ` W q . For Q “ nD , n P N , using Lemma 2.1, we see that H is well-defined. By (4.5), H vanisheson Q “ nD , n P N . We give an upper bound on the number of zeros of H to get theresults together with (4.6) and (4.7).Let us fix a representation of H as a rational function G { G P F q p Z q . Then this set isfinite and contains the zeros of H and thus(4.9) | N | ď | V F q p f , . . . , f , G q| where f , . . . , f are the defining equations of U . See Appendix A.1.In order to estimate the size of (4.9), for r P F q , write g r p Z q “ Z ´ r . Clearly,(4.10) V F q p f , . . . , f , G q Ă ď r P F q V p f , . . . , f , G , g r q . We claim that for any r P F q ,(4.11) dim p V p f , . . . , f , G , g r qq “ . From Proposition 2.4, we know that H is non-constant, therefore,dim p V p f , . . . , f , G qq “ . Hence, if (4.11) were not true, then dim p V p f , . . . , f , G , g r qq “ g r P x f , . . . , f , G y . Let D P U such that G p D q “
0. Then we also have g r p D q “
0. As all nD for n P N arezeros of G , it has at least(4.12) 2 | Θ p F q q| ` p q ` q ` D “ r P ` Q ´ O s P U p F q q , with P “ p x P , y P q , Q “p x Q , y Q q , is a zero of g r , then g r p D q “ z p D q ´ r “ ´ x P x Q ´ r “ . If P, Q P C p F q q , then P determines Q apart from sign, therefore there are at most 2 | Θ p F q q| such zeros. On the other hand, if P, Q P C p F q q and P and Q are conjugated, then wemust have x Q “ x qP and thus x q ` P “ ´ r . As there are at most q ` p q ` q such divisors. Then it yields that g r has at most 2 | Θ p F q q| ` p q ` q zerosover F q , which contradicts (4.12). Then we have proved (4.11).By Lemma 3.2 and (4.11) we have | V p f , . . . , f , G , g r q| ď ź i “ deg f i ¨ deg G ď
216 deg G , and thus by (4.10),(4.13) V F q p f , . . . , f , G q ď q deg G ď q deg H. INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 13
Then it follows from Proposition 2.4, (4.7) and (4.9) that T ´ L | Θ p F q q| ´ | Θ p F q q| ď | N | ď q deg H ď p L ` q q deg h. Whence (4.4) and (4.6) yields the result with some absolute constant c ą (cid:3) Comments
The usage of elliptic curves in pseudorandom number generation is an extensive researchdirection, see for example the survey paper [28] for a discussion of properties of pseudo-randomness of the elliptic curve case of the sequence (1.4) and further references as wellas other constructions.Despite some results on the application of hyperelliptic curves in pseudorandom numbergeneration (see [6, 7, 19]) this line of research has never been studied systematically. InTheorem 4.1, we obtain lower bounds on the linear complexity of the sequence derivedfrom (1.4).The bound we obtain is non-trivial and sufficient for application, however we conjecturethat stronger bound for the N -th linear complexity holds. Numerical experiments suggestthat if h is a coordinate function in (1.5), then for most cases L p w n , t q “ r t { s .Additional to the N -th linear complexity, other pseudorandom properties, like uniformdistribution, also need to be investigated. The main tool would be the higher genus ana-logue of [17] where the authors obtained bounds on exponential sums over elliptic curves. Acknowledgement
The authors wish to thank Arne Winterhof for the valuable discussions and Igor Sh-parlinski for useful comments. The authors were supported by the Austrian Science FundProject P31762.
Appendix
A.A.1.
Defining equations of the Jacobian.
Let S “ K r Z , Z , Z , Z , Z , Z , Z , Z , Z s be a polynomial ring over field K , with characteristic p ‰
2. Following [11], in particularTheorem 2.5, Theorem 2.11 and Corollary 2.15, we define f i as follows: f “ Z ` Z Z ` b Z Z ` b Z Z Z ´ b Z Z ` b Z Z ´ b Z ` b ZZ ´ b ZZ ` b ZZ ` p b ´ b b q Z Z ` p b ´ b b q Z Z ` p b b ´ b b ´ b q Z Z ´ b b Z ` p b b ´ b q Z ` p b b ´ b q Z ` b p b ´ b b q Z p b b ´ b b q Z ` b b b ´ b b ´ b b ,f “ Z ´ Z Z ` Z ´ b Z ` b ,f “ Z ´ Z Z ` Z Z ,f “ Z ` Z Z ` Z Z ´ Z Z ´ b Z ` b Z , f “ Z ´ Z Z ` ZZ ` Z Z ´ b Z Z ´ b Z Z ` b Z ´ b b Z ` b Z ` b b ´ b ,f “ Z ´ Z ´ Z Z ´ b Z ´ Z ´ b Z ´ b ,f “ Z Z ´ Z Z ` Z ´ b Z ´ b Z Z ,f “ Z ´ Z ´ b Z ´ b Z Z ` b Z Z ` b Z ` p b b ´ b b q Z ´ b b Z ` p b b ´ b q Z b b b ` b b ´ b b ´ b b ,f “ ´ Z Z ` b Z Z ´ b Z Z ` b Z Z ´ b Z Z ` b Z ´ Z ´ b ZZ ` b ZZ ´ b ZZ ´ b Z Z ` b b Z Z ´ p b ` b b q Z Z ` b b Z ´ p b b ` b q Z ` p b b ` b b b ` b b ´ b ´ b b q Z ´ b Z ` b p b ´ b q Z ` b b b ´ b b b ´ b b ,f “ Z ´ Z Z ` Z Z ´ b Z Z ` b Z Z ´ b Z ` b Z ` p b b ´ b b ´ b q Z ´ b b Z ` b b ´ b b ,f “ Z Z ´ Z Z ´ ZZ ` Z ´ b Z Z ` b Z Z ´ b Z Z ` b Z ´ b Z ` b Z ` p b ´ b b q Z ` p b b ´ b q Z ´ b b ,f “ Z ´ Z Z ` Z Z ` Z Z ´ b Z Z ` b Z ` p b ´ b b q Z ` b b ´ b ,f “ Z Z ´ Z Z ´ b Z ` b Z ,f “ Z Z ´ Z Z ´ Z Z ´ b Z ` b Z ´ b Z . One can show that f P x f , f , f y and the vanishing locus of these polynomials homoge-nized with respect to the variable Z forms a set of defining equations for the Jacobian J C ,i.e J C “ V p f h , . . . , f h q “ t z P P p ¯ K q : f hi p z q “ , ď i ď u A.2.
Rational embedding for the Jacobian.
Recall Equation (2.2), where for any D P U with ψ p D q “ p x , y q`p x , y q´ O , the image of D under the embedding ι : J C Ñ P is given by ι p D q “ p z : z : z : z : z : z : z : z q where, z ij , z ijk are rational functions in the coordinates x , x , y , y of ψ p D q as shownbelow. For more details, see [11, Equation 1.4]. z “ p x ` x qp x x q ` b p x x q ` b p x ` x q x x ` b x x p x ´ x q INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 15 ` b p x ` x q ` b ´ y y p x ´ x q ,z “ ´ x x ,z “ x ` x ,z “ y Ψ p x , x q ´ y Ψ p x , x qp x ´ x q , where,Ψ p x , x q “ b ` b p x ` x q ` b x p x ` x q ` b x p x ` x q` b x x ` x x p x ` x q ,z “ y x ´ y x x ´ x ,z “ ´ y x ´ y x x ´ x ,z “ y ´ y x ´ x .z “ p z z ´ z ` b z ´ b q We consider U embedded in A by considering the isomorphism given by p z : z : z : z : z : z : z : z q ÞÑ p z , z , z , z , z , z , z , z q A.3.
Addition formulas.
In Lemma 2.1, we stated the group law on U as given in [11,Theorem 3.3]. This reference gives instructions as to how one could compute z p Q ` R q , z p Q ` R q , z p Q ` R q but does not state them explicitly in the paper. To estimate thedegree of these functions, we computed the formulas for z p Q ` R q , z p Q ` R q , z p Q ` R q as follows: z p Q ` R q “ ´ z p Q q ´ z p R q ` q p Q, R q q p Q, R q q p Q, R q ` q p Q, R q q p Q, R q q p Q, R q ´ q p Q, R q q p Q, R q ´ q p Q, R qp q p Q, R qq q p Q, R q ` p z p Q q ` z p R qq q p Q, R q q p Q, R q ` p z p Q q ` z p R qq q p Q, R q q p Q, R q z p Q ` R q “ ´ z p Q q ´ z p R q ` q p Q, R q q p Q, R q q p Q, R q ` q p Q, R q q p Q, R q q p Q, R q ´ q p Q, R q q p Q, R q´ q p Q, R qp q p Q, R qq q p Q, R q ` p z p Q q ` z p R qq q p Q, R q q p Q, R q z p Q ` R q “ ´ z p Q q ´ z p R q ` q p Q, R q q p Q, R q q p Q, R q ´ q p Q, R q q p Q, R q ´ ˆ q p Q, R q q p Q, R q ˙ ` p z p Q q ` z p R qq q p Q, R q q p Q, R q z p Q ` R q “ p z p Q ` R q z p Q ` R q ´ z p Q ` R q ` b z p Q ` R q ´ b q To evaluate the addition formulas from Lemma 2.1, we need the following functions: q p Q, R q “ z p Q q ´ z p R q ` z p Q q z p R q ´ z p R q z p Q q ,q p Q, R q “ z p Q q ´ z p R q ` z p Q q z p R q ´ z p R q z p Q q` z p R q z p Q q ´ z p Q q z p R q ,q p Q, R q “ z p Q q ´ z p R q ` z p Q q z p R q ´ z p R q z p Q q` z p R q z p Q q ´ z p Q q z p R q ,q p Q, R q “ b q p Q, R q ` b p z p Q q ´ z p R qq ` pp z ´ b z ` b qp Q q z p R qq´ pp z ´ b z ` b qp R q z p Q qq ´ b p z p Q q ´ z p R qq` p z p Q q z p R q ´ z p R q z p Q qq ,q p Q, R q “ b p z p Q q ´ z p R qq ` b p z p Q q z p R qq´ b p z p R q z p Q qq ´ p z p Q q z p R q ´ z p R q z p Q qq` pp z ´ b z ` b qp Q q z p R q ´ p z ´ b z ` b qp R q z p Q qq´ b p z p Q q ´ z p R qq ` z p R q z p Q q ´ z p Q q z p R q ,q p Q, R q “ b p z p Q q z p R q ´ z p R q z p Q qq ` b z p Q q´ b z p R q ´ p z p Q q z p R q ´ z p R q z p Q qq´ pp z ´ b z ` b qp Q q ´ p z ´ b z ` b qp R qq` p z p Q q z p R q ´ z p R q z p Q qq ,q p Q, R q “ b q p Q, R q` p z p Q q z p Q q z p R q ´ z p R q z p R q z p Q qq` z p R qp z p Q qp z p Q q ´ z p R q ` b q ´ b z p Q qq´ z p Q qp z p R qp z p R q ´ z p Q q ` b q ´ b z p R qq` z p Q qp z p R qp z p R q ´ z p Q q ` b q ` b q´ z p R qp z p Q qp z p Q q ´ z p R q ` b q ` b q A.3.1.
Formulas for q ijk . There are multiple ways to compute formulas for q ijk , e.g. q ijk p Q, R q “ D i p q jk qp Q, R q “ D j p q ik qp Q, R q “ D k p q ij qp Q, R q where D i is the differential operator as defined in the proof of [11, Theorem 3.3 ]. We usedthe Python package SymPy to compute the formulas and chose the following expressions
INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 17 for q ijk : q “ D p q q ,q “ D p q q ,q “ D p q q ,q “ D p q q .q p Q, R q “ z p R q ` ´ z p Q q ` z p Q q p z p R q ´ b q ´ z p Q q b ´ b ˘ ` z p R q p´ z p Q q z p R q ´ b q` z p Q q p z p R q z p Q q ` b q` z p Q q ` ´ z p Q q z p R q ` z p R q ` z p R q b ` z p R q b ` b ˘ ` z p Q q p z p Q q z p R q ´ z p R q z p R q ´ z p R q b ` z p R q b q` z p R q p z p Q q z p Q q ` z p Q q p´ z p R q ` b q ´ z p Q q b q q p Q, R q “ z p Q q p z p Q q z p R q ´ z p R q b ´ b q` z p Q q p´ z p R q ` z p R q z p Q q ` z p R q p z p R q ` b q ` b q` z p R q p z p Q q ` z p Q q p´ z p Q q ´ z p R q ´ b q ´ b q` z p Q qp´ z p R q z p R q ´ z p Q q z p R q ´ z p R q ´ z p R q b ` z p R q b ` b q` z p R q ` z p Q q z p Q q ` z p Q q ` z p Q q p z p R q ` b q´ z p Q q b ´ b q` z p R q p z p Q q p´ z p R q ` b q ` b q q p Q, R q “ z p R q ` ´ z p Q q ` z p Q q p´ z p R q ´ b q ´ b ˘ ` z p R q p´ z p Q q ` z p Q q p z p R q ´ b q ´ b q` z p Q q ` z p Q q z p R q ´ z p R q z p R q ´ z p R q ´ z p R q b ´ b ˘ ` z p Q q ` z p Q q z p R q ` z p R q ` z p R q b ` b ˘ ` z p R q ` z p Q q z p Q q ´ z p R q z p Q q ` z p Q q ` z p Q q b ` b ˘ ` z p Q q p z p R q ´ z p Q q z p R q ` z p R q b ` b q q p Q, R q “ z p R q p´ z p Q q ` z p R q ` z p Q q p z p Q q ` b qq` z p R q ` ´ z p Q q ´ z p R q ´ z p Q q ´ z p Q q b ´ b ˘ ` z p Q q p´ z p Q q ´ z p R qq` z p Q q p´ z p Q q ` z p R q ` z p R q p´ z p R q ´ b qq` z p R q p z p Q q ` z p R qq` z p Q q ` z p Q q ` z p R q ` z p R q ` z p R q b ` b ˘ References
1. P. H. T. Beelen and J. M. Doumen,
Pseudorandom sequences from elliptic curves , Finite fields withapplications to coding theory, cryptography and related areas (Oaxaca, 2001), Springer, Berlin, 2002,pp. 37–52. 22. David G. Cantor,
Computing in the Jacobian of a hyperelliptic curve , Math. Comp. (1987), no. 177,95–101. 23. Zhixiong Chen, Elliptic curve analogue of Legendre sequences , Monatsh. Math. (2008), no. 1,1–10. 24. Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen, andFrederik Vercauteren (eds.),
Handbook of elliptic and hyperelliptic curve cryptography , Discrete Math-ematics and its Applications (Boca Raton), Chapman & Hall/CRC, Boca Raton, FL, 2006. 15. Edwin El Mahassni and Igor Shparlinski,
On the uniformity of distribution of congruential generatorsover elliptic curves , Sequences and their applications (Bergen, 2001), Discrete Math. Theor. Comput.Sci. (Lond.), Springer, London, 2002, pp. 257–264. 26. Reza Rezaeian Farashahi,
Extractors for Jacobian of hyperelliptic curves of genus 2 in odd charac-teristic , Cryptography and coding, Lecture Notes in Comput. Sci., vol. 4887, Springer, Berlin, 2007,pp. 313–335. 137. Reza Rezaeian Farashahi and Ruud Pellikaan,
The quadratic extension extractor for (hyper)ellipticcurves in odd characteristic , Arithmetic of finite fields, Lecture Notes in Comput. Sci., vol. 4547,Springer, Berlin, 2007, pp. 219–236. 138. Steven D. Galbraith,
Mathematics of public key cryptography , Cambridge University Press, Cambridge,2012. 19. Guang Gong, Thomas A. Berson, and Douglas R. Stinson,
Elliptic curve pseudorandom sequencegenerators , Selected areas in cryptography (Kingston, ON, 1999), Lecture Notes in Comput. Sci., vol.1758, Springer, Berlin, 2000, pp. 34–48. 210. Guang Gong and Charles C. Y. Lam,
Linear recursive sequences over elliptic curves , Sequences andtheir applications (Bergen, 2001), Discrete Math. Theor. Comput. Sci. (Lond.), Springer, London,2002, pp. 182–196. 211. David Grant,
Formal groups in genus two , J. Reine Angew. Math. (1990), 96–121. 3, 4, 5, 13, 14,15, 1612. Sean Hallgren,
Linear congruential generators over elliptic curves , Tech. report, Dept. of Comp. Sci.,Cornegie Mellon Univ., 1994. 213. Robin Hartshorne,
Algebraic geometry , Springer-Verlag, New York-Heidelberg, 1977, Graduate Textsin Mathematics, No. 52. 4, 514. Florian Hess and Igor E. Shparlinski,
On the linear complexity and multidimensional distribution ofcongruential generators over elliptic curves , Des. Codes Cryptogr. (2005), no. 1, 111–117. 215. Marc Hindry and Joseph H. Silverman, Diophantine geometry , Graduate Texts in Mathematics, vol.201, Springer-Verlag, New York, 2000, An introduction. 316. Neal Koblitz,
Algebraic aspects of cryptography , Algorithms and Computation in Mathematics, vol. 3,Springer-Verlag, Berlin, 1998, With an appendix by Alfred J. Menezes, Yi-Hong Wu and Robert J.Zuccherato. MR 1610535 117. David R. Kohel and Igor E. Shparlinski,
On exponential sums and group generators for elliptic curvesover finite fields , Algorithmic number theory (Leiden, 2000), Lecture Notes in Comput. Sci., vol. 1838,Springer, Berlin, 2000, pp. 395–404. 1318. Tanja Lange,
Formulae for arithmetic on genus 2 hyperelliptic curves , Appl. Algebra Engrg. Comm.Comput. (2005), no. 5, 295–328. 219. Tanja Lange and Igor Shparlinski, Collisions in fast generation of ideal classes and points on hyperel-liptic and elliptic curves , Appl. Algebra Engrg. Comm. Comput. (2005), no. 5, 329–337. 13 INEAR COMPLEXITY OF HYPERELLIPTIC CURVE SEQUENCES 19
20. Tanja Lange and Igor E. Shparlinski,
Certain exponential sums and random walks on elliptic curves ,Canad. J. Math. (2005), no. 2, 338–350. 921. Wilfried Meidl and Arne Winterhof, Linear complexity of sequences and multisequences , Handbook ofFinite Fields, CRC Press, Boca Raton, 2013. 222. L´aszl´o M´erai,
Construction of pseudorandom binary sequences over elliptic curves using multiplicativecharacters , Publ. Math. Debrecen (2012), no. 1-2, 199–213. 223. , Remarks on pseudorandom binary sequences over elliptic curves , Fund. Inform. (2012),no. 3-4, 301–308. 224. L´aszl´o M´erai and Arne Winterhof,
On the linear complexity profile of some sequences derived fromelliptic curves , Des. Codes Cryptogr. (2016), no. 2, 259–267. 225. David Mumford, Tata lectures on theta. II , Modern Birkh¨auser Classics, Birkh¨auser Boston, Inc.,Boston, MA, 2007, Jacobian theta functions and differential equations, With the collaboration of C.Musili, M. Nori, E. Previato, M. Stillman and H. Umemura, Reprint of the 1984 original. 226. Harald Niederreiter,
Linear complexity and related complexity measures for sequences , Progress incryptology—INDOCRYPT 2003, Lecture Notes in Comput. Sci., vol. 2904, Springer, Berlin, 2003,pp. 1–17. 227. Joachim Schmid,
On the affine Bezout inequality , Manuscripta Math. (1995), no. 2, 225–232. 1028. Igor E. Shparlinski, Pseudorandom number generators from elliptic curves , Recent trends in cryptog-raphy, Contemp. Math., vol. 477, Amer. Math. Soc., Providence, RI, 2009, pp. 121–141. 1329. Henning Stichtenoth,
Algebraic function fields and codes , second ed., Graduate Texts in Mathematics,vol. 254, Springer-Verlag, Berlin, 2009. 1, 230. Alev Topuzo˘glu and Arne Winterhof,
Pseudorandom sequences , Topics in geometry, coding theory andcryptography, Algebr. Appl., vol. 6, Springer, Dordrecht, 2007, pp. 135–166. 231. Arne Winterhof,
Linear complexity and related complexity measures , Selected topics in information andcoding theory, Ser. Coding Theory Cryptol., vol. 7, World Sci. Publ., Hackensack, NJ, 2010, pp. 3–40.2
Johann Radon Institute for Computational and Applied Mathematics, Austrian Acad-emy of Sciences and Institute of Financial Mathematics and Applied Number Theory,Johannes Kepler University, Altenberger Straße 69, A-4040 Linz, Austria
Email address : [email protected] Email address ::